How dangerous is it to include untrusted PHP script?

Hello,

an beta stage advertising system which i do not trust want me to add to my page this:

define(‘XY_USER’, ‘dg6z247h5hj8d9s7gh3l2.54lo5f’);
require_once($_SERVER[‘DOCUMENT_ROOT’].‘/’.XY_USER.‘/script.php’);
$xy = new SeolinkClient();
echo $xy->return_links();

I want to ask what malicious things they can do if later they add some malicious code into their .php ?
Can they read my mysql credentials, even hosting account password or somehow harm my site visitors?

Thank you

As a rule of thumb you don’t deploy code you do trust into production without testing let alone code you don’t. Make a virtual machine copy of your site, cordon it off from the internet to keep it from calling home and then see what it can do.

As to what it could do, pretty much anything you give it permission to do.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.