secure way to execute php from saas application


secure way to execute php from saas application



I have developed an online "Workflow" application in SaaS, currently allowing the users to execute commands and chain them (database/sql requests, file operations, ftp i/o, etc...).



And i may now need to allow the users to execute custom php scripts (with a specific allowed php commands list) with limited privileges in the server
(hosting several customers, each customer having his own mysql database and folder for uploaded files)



A use case is the creation of a ETL (Extract-Transform-Load) task :



the workflow :



This case use needs the customer be able to edit online a custom php script



On stackoverflow i saw answers suggesting to use LXC containers, i would like to avoid this.



I was thinking to propose a textarea to the users, where for instance they would type PHP templating code (like twig for symfony) ?
Like this, the set of commands is secured, and i can choose exactly the allowed PHP commands...



Is it a good idea ?
Is there a better way to do this ?



Thanks for your help !





Before people jump on the 'No' and 'Dear god no' band wagon, can you explain your use case? What type of content will users be inputting? Is this for showing basic data like a small biography for a form? Is it for implementing full cms controlled pages?
– Neil Masters
Jul 2 at 20:22





Why avoid containers? By doing so your now need to implement a whole range of protections.. For each of them features. What are you attempting to protect? Using containers you could give them root, and limit io, network, processes, cpu, disk, mem and all that jazz..
– Lawrence Cherone
Jul 2 at 20:24






A use case is the creation of a ETL (Extract-Transform-Load) task : the workflow 1) download a csv file to an external FTP , 2) a php script workflow on the csv for updating him (change his format, add/remove columns for instance), and 3) then import this with a mysqlimport workflow command... so the customer needs to edit online a custom php script...i put this use case in my question...
– Pierre
Jul 2 at 20:26





Cant you parse the csv, and build a UI which defines an entity which get applied when processed?
– Lawrence Cherone
Jul 2 at 20:29





Why trying to avoid containers ? I am thinking interesting to give the non-very-technical users (my current customer's profile -they are mainly non-developers, only project managers) a easy limited language (for loops, if commands) in an online editor, so in the case if i execute the php template, then no need of containers...my problematic is more to give a "for dummies" programming interface (and obviously in a secure way)
– Pierre
Jul 2 at 20:34









By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

api-platform.com Unable to generate an IRI for the item of type

api-platform.com Unable to generate an IRI for the item of type I'm trying to setup my first api-platform instance and have run into some presumably noob questions around IDE. What i'm trying to do is setting up an register and reset entity in order to deal with registrations and password reminders from an app. And then have the entity's passed to a custom controller to do some checks, balances and mails afterwards (haven’t gotten around to that yet). But I keep running into this error when posting to my custom entities: { "@context": "/api/contexts/Error", "@type": "hydra:Error", "hydra:title": "An error occurred", "hydra:description": "Unable to generate an IRI for the item of type "AppXXXUserBundleEntityRegister"", "trace": [ { "namespace": "", "short_class": "", "c
Read more

How to set up datasource with Spring for HikariCP?

How to set up datasource with Spring for HikariCP? Hi I'm trying to use HikariCP with Spring for connection pool. I'm using jdbcTempLate and JdbcdaoSupport. This is my spring configuration file for datasource: <bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource"> <property name="dataSourceClassName" value="oracle.jdbc.driver.OracleDriver"/> <property name="dataSource.url" value="jdbc:oracle:thin:@localhost:1521:XE"/> <property name="dataSource.user" value="username"/> <property name="dataSource.password" value="password"/> </bean> But unfortunately the following error message is generating: Cannot resolve reference to bean 'dataSource' while setting bean property 'dataSource'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataSource'
Read more

Display dokan vendor name on Woocommerce single product pages

Display dokan vendor name on Woocommerce single product pages With woocommerce I am using Dokan plugin and I am trying to display the vendor name, rating and vendor location on single product pages. I tried this code to display vendor name but no luck: //show store name add_action( 'woocommerce_single_product_summary', 'show_store_name', 20 ); function show_store_name() { printf( '<b>Seller Name:</b> <a href="%s">%s</a>', dokan_get_store_url( $author->ID ), $store_info['store_name'] ); } Any help is appreciated. 1 Answer 1 I don't use dokan plugin. Here is the way to get the (post) author ID and to make your code work: add_action( 'woocommerce_single_product_summary', 'display_author_name', 20 ); function display_author_name() { // Get the author ID (the vendor ID) $vendor_id = get_post_field( &#
Read more