Any PHP coders out there?

F

fury

Administrator
Staff member
I've been using raw variables in my templates since before I can remember, but for the next revision of my game I'm going to give users the ability to create their own styles. This presents a potential security issue, as if I allow raw variable use one could simply walk into Mordor and grab everyone's passwords.

Do you think I should
  • disable variable use in templates and use string replacement on certain key words? e.g. instead of $userinfo[username] it would be {userinfo_username} or something along those lines
    or
  • allow only use of a variable inside a certain class? i.e. define a new class for publicly usable variables, $publicvariables, and escape a $ if it is not followed immediately by only that class name (allowing people to make references to dollar values)
    or
  • replace all instances of $something with $publicvariables->something (goes hand in hand with b kinda)
 
Not that I can help much with PHP coding, you are far more experienced in it than me. I just have a question, why give the users that ability? can't you just restrict those styles to use HTML and restrict the use of PHP?

Restrict the database connections, so that every connection attempt would need a username/password, obviously these would be stored on your PHP files and users would have no way of knowing the name of the database nor its password. This still leaves a potential security breach thou.
 
They'd need some way to reference dynamic stuff like their stats, time until next turn, the battlefield, and the user stats pages.

Since I already escape quotes it will prevent them from executing actual PHP code, thus limiting them only to reading variables. Basically what I have in mind for forcing access only to a specific set of variables:

preg_replace('/\$(\w+)/', '{\$g[\'$1\']}', $template); // to make it safe, so when they put $username in the template, it changes it to {$g['username']} - all the variables the user would be able to access would be stored in $g
preg_replace('/{\$g\[\'(\w+)\'\]}/', '\$$1', $template); // to turn it back into a template the user can more easily understand and edit

I probably missed a slash or two with those example preg_replace()s, but that's kinda what I had in mind when I was talking about option B and C, except it uses an array instead of a class. I kind of just realized you can't really add properties to a class dynamically like you can indices to an array.

It makes it a little more CPU intensive during the uploading and editing process, but would probably be faster in the end.

For maximum security I'm only going to allow myself and the creator to view the style anyway, until I approve it, so that nobody can goatse the community. That would be kinda bad :lloyd:
 
You must log in or register to reply here.
Back
Top