PCR360 Custom Code PHP Whitelist Reference
This document lists all PHP functions, classes, and $this-> methods that are allowed in PCR360 Custom Logic code. The PHP validator will reject any function or method call not on this list.
IMPORTANT: When generating Custom Logic, Custom API, Custom Event, Custom Validation, or Custom Report code, you MUST only use functions and methods from this whitelist. Any other function call will fail PHP validation.
$this-> Methods (CustomLogic Trait)
These are the methods available via $this-> in all custom code types:
Data & Queries
|
Method |
Description |
|---|---|
|
|
Execute a SQL query with bound parameters |
|
|
Get the last query error message |
|
|
Look up a list value by type and code |
|
|
Find a list code by RECID |
|
|
Find a list value by RECID |
|
|
Call an API shortcut method (e.g., saveContact, assignWorkflow) |
Debugging
|
Method |
Description |
|---|---|
|
|
Write debug output to the Custom Debug table |
Events
|
Method |
Description |
|---|---|
|
|
Trigger another custom event by identifier |
Reports
|
Method |
Description |
|---|---|
|
|
Assign a variable to the Smarty template |
|
|
Add an error message to the report |
|
|
Load and execute another custom report |
|
|
Generate a barcode image |
Validation
|
Method |
Description |
|---|---|
|
|
Set a validation failure message (return false after) |
|
|
Set an error message |
|
|
Set a warning message |
File Operations
|
Method |
Description |
|---|---|
|
|
Write a file (INBOUND/OUTBOUND locations only) |
|
|
Convert an array to CSV string |
HTTP/cURL
|
Method |
Description |
|---|---|
|
|
Make an HTTP request (HTTP/HTTPS only) |
Messaging
|
Method |
Description |
|---|---|
|
|
Send a system message to contacts |
Allowed PHP Functions by Category
Array
array_column, array_chunk, array_combine, array_count_values, array_diff, array_diff_assoc, array_diff_key, array_fill, array_fill_keys, array_flip, array_intersect, array_intersect_assoc, array_intersect_key, array_is_list, array_key_exists, array_keys, array_merge, array_merge_recursive, array_multisort, array_pad, array_pop, array_product, array_push, array_rand, array_reduce, array_replace, array_replace_recursive, array_reverse, array_search, array_shift, array_slice, array_splice, array_sum, array_unique, array_unshift, array_values, compact, count, current, end, extract, in_array, key_exists, krsort, ksort, list, next, pos, prev, range, reset, rsort, shuffle, sort
Class/Object
get_called_class, get_class, is_a, is_subclass_of
Class/Interface Access
DateInterval, DateTime, Exception, PCR_Event, PCR_Exception, throwable
cURL (low-level)
curl_close, curl_copy_handle, curl_errno, curl_error, curl_escape, curl_getinfo, curl_init, curl_pause, curl_reset, curl_setopt, curl_setopt_array, curl_strerror, curl_unescape
cURL Helpers
curlExec, curlRequest
Date/Time
add, diff, date_add, date_create, date_create_from_format, date_diff, date_format, date_get_last_errors, date_interval_create_from_string, date_interval_format, date_parse, date_parse_from_format, date_sub, date_time_set, date_timestamp_get, date_timestamp_set, date_timezone_get, date_timezone_set, date, format, mktime, microtime, setDate, setTime, setTimestamp, strtotime, sub, time
Exception Handling
getPrevious, getCode, getLine
JSON
json_decode, json_encode, json_last_error, json_last_error_msg, json_validate
Logical (Control Flow)
as, if, break, case, catch, continue, default, do, else, elseif, finally, for, foreach, function, match, new, return, switch, try, while
Mathematical
abs, base_convert, bindec, ceil, exp, floor, hexdec, max, min, octdec, pow, rand, round, srand, trunc
Regular Expressions
preg_filter, preg_grep, preg_last_error, preg_match, preg_match_all, preg_quote, preg_replace, preg_split
String
addslashes, bin2hex, chr, explode, html_entity_decode, htmlentities, htmlspecialchars, htmlspecialchars_decode, implode, ltrim, nl2br, number_format, rtrim, sprintf, str_contains, str_ends_with, str_getcsv, str_ireplace, str_pad, str_repeat, str_replace, str_shuffle, str_split, str_starts_with, strcasecmp, strip_tags, stripslashes, strtolower, strtoupper, substr_compare, substr_count, substr_replace, substr, stristr, strlen, stripos, strpos, strripos, strrpos, strstr, trim, wordwrap
URLs
base64_decode, base64_encode, get_headers, http_build_query, parse_url, rawurldecode, rawurlencode, urldecode, urlencode
Variable Handling
gettype, is_array, is_bool, is_float, is_int, is_iterable, is_numeric, is_object, is_string, isset
Prohibited Functions
The following are explicitly blocked (program execution):
-
exec,shell_exec,system,passthru,popen,proc_open -
eval,assert -
mail,phpversion,phpinfo -
Any function not listed above
Scope Variables by Code Type
Custom API
-
$request— POST data from the API call -
$response— Array to populate with return data
Custom Event
-
$data— Incoming event data -
$user— Current user info -
$params— Event parameters -
$backtrace— Call stack info
Custom Validation
-
$data— Record data being saved/deleted -
$params— Form parameters -
$user— Current user info -
$backtrace— Call stack info -
Must return
true(pass) orfalse(fail, use$this->setMessage()first)
Custom Report
-
$params— Report parameters (user inputs) -
$user— Current user info -
Use
$this->assign($name, $value)to pass data to the Smarty template -
Use
$this->query($sql, $bind)for database queries -
Use
$this->addError($message)for error handling
Notes
-
Always use bound parameters in
$this->query()calls to prevent SQL injection -
Custom functions defined with
function myFunc()are allowed but the function name itself must not conflict with a prohibited function -
Tenants can add additional whitelisted functions via
customlogic.FUNC_WHITELISTin their config -
Use the "Validate PHP" button in PCR360 before saving any custom code