1

Stack community.

I'm using the eval() function in PHP so my users can execute his own code in my website (Yes, i know it is a dangerous function, but that's not the point).

I want to store all the PHP errors that occur during the interpretation of the code, is there a way to fetch all of them? i want to get and register them in a table of my database.

The error_get_last gets only the last error, but i want all of them. Help me, please. It is even possible?

Improve this question

2 Answers 2

Reset to default
1

General

You cannot use eval() for this, as the evaled code will run in the current context, meaning that the evaled code can overwrite all vars in your context. Beside from security considerations this could / would break functionality. Check this imaginal example:

$mode = 'execute'

// here comes a common code example, it will overwrite `$mode`
eval('
    $mode = 'test';
    if(....) { ...
');


 // here comes your code again, will fail
 switch ( $mode) {

     ...

 }

Error Tracking

You cannot track the errors this way. One method would be to use set_error_handler() to register a custom error handler which stores the errors to db. This would work, but what if the user uses the function in it's code? Check the following examples: 

set_error_handler('my_handler');

function my_handler($errno, $errstr, $errfile, $errline) {
    db_save($errstr, ...);
}

eval('
$a = 1 / 0; // will trigger a warning
echo $b; // variable not defined
'
);

This would work. But problems will arise if have an evaled code like this:

eval('
restore_error_handler();
$a = 1 / 0; // will trigger a warning
echo $b; // variable not defined
'
);

Solution

A common solution to make it possible that others can execute code on your servers is:

  • store user code into temporary file
  • disable critical functions like fopen() ... in the php.ini
  • execute the temporary php file by php-cli and display output (and errors) to the user
  • if you separate stdin from stdout when calling the php-cli, you can parse the error messages and store them in a DB
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I know, this is a mess, man! i tried for doing my own error handler before, but I'm not experienced at all in PHP. Also it would suppose an infinite amount of possibilities to consider in order to catch all of the possible errors. I guess i'm not including this stuff in my projcet, then. Thank You a lot!
0

According to the documentation, you just can't :

If there is a parse error in the evaluated code, eval() returns FALSE and execution of the following code continues normally. It is not possible to catch a parse error in eval() using set_error_handler().

EDIT: you can't do it with eval(), but you apparently can with php_check_syntax function. You have to write the code to a file in order to check its syntax.

Improve this answer

3 Comments

Oh man, I'm screwed then... Any idea on what can I do on that? =/
Well, after some research, maybe you can. Take a look at php_check_syntax function.
But it will only check the syntax, right? Y'know? forget it bro, as I said to the other guy who answered, it will be extremely hard due to all of the possibilities i have to check in the user's code. Thank You for your help, and for wasting time researching. Thank you a lot.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.