For a long time now, I have had my own wrapper function around echo, so that instead of:
echo 'This is an example.';
I do (in CLI scripts):
terminal_output('This is an example.');
This allows me to, for example, do fancy outputting of the text on the terminal. For example, I can make it look like it's "typed out" with random delays.
Sometimes, I realize that I have been using "echo" instead of my wrapper function, and then I have to sit and change them all into my function calls.
It strikes me that, maybe, there is some way to "hook into" the echo function so that I can indeed use echo everywhere, yet do any kind of fancy processing I feel like? And of course, that wrapper function would check whether it's in web or cli mode, and always directly output if in web mode.
I've oftentimes found hidden "gems" like this in PHP which are barely documented or well hidden, so maybe it's the case this time as well?
Functions can be namespaced. PHP native functions can be redefined with the same name in custom namespaces.
But echo is a special case. It is not a function, but is a language construct.
// echo supports non-function-shape calls since it's a language construct.
echo "string", "string";
AKAIK, the language may not allow you to define a function with that name.
Related
I want to hook before execution / or replace standart core functions, for example i im going to prevent both include and require accesa to any scripts. Is any way to make it without any extra .dll's? Or another case is_array($myarr); i would be to hook at array($myarr) === $myarr; (looks like it is faster) to avoid creating extra classes and functions.
Ps and one more question : how to prevent all php execution after some moment? I have html templates with php parts <?=$myvar?> i want to prevent short sintax and execution at all when my script ends work, what i have to try?
About hooks to standart functions: there is no way to do that without external modules. APD PECL module
will do the job.
rename_function('require', 'internal_require'); // saving reference to original function
override_function('require', '$filename',
'print "require called"; internal_require($filename);');
Second question is not very clear. Do you want to hook on standart is_array function, to array() lexical construct or (array) type casting?
About stopping php interpretation: have a look at __halt_compiler function. But keep in mind that succeeding blocks of php will be just embedded in HTML (thus visible to everybody).
If you want to disable functions, you can use safe mode, but it is deprecated and not recommended. And as madfriend says, __halt_compiler just sends everything below it as text. Bear in mind that it can only be called from the outermost scope - I.e. not inside curly braces (if, loops, functions etc.)
We have a large codebase, and every so often a var_dump used for testing and not removed/commented suddenly appears out of nowhere. There is a messy solution using XDebug (http://devzone.zend.com/1135/tracing-php-applications-with-xdebug/), but maybe there's something ingenous that can be done in PHP at runtime.
Also, I don't want to modify or search code via regex. I've tried using my own var_dump_v2, but it falls out of use quickly.
Is it possible to use the disable_functions operation in php.ini to disable var_dump on your production server? I am not sure what the outcome of this setting is (ie does it fail with an error, or silently) the documentation is not so clear.
http://php.net/manual/en/ini.core.php - see "disable_functions"
Also there is override_function:
<?php
override_function('var_dump', '$a', 'return 0;');
?>
http://php.net/manual/en/function.override-function.php
There are actually ways to do this, if you have PECL available and runkit installed. You kan make runkit able to overide PHPs internal functions if you in php.ini set runkit.internal_override to "1".
For removing the var_dump function, you could use:
runkit_function_remove('var_dump');
In your case, not to get an error, you should probably instead use something like this:
runkit_function_redefine('var_dump', '','');
Take a look at the runkit extensions documentation here.
You may also want to take a look at "Advanced PHP debugger", another extension that seems to offer an override_function().
You can use monkey patching.
Just defines a namespace on the first line of your file and defines the function var_dump
<?php
namespace monkey;
function var_dump($obj) {}
Of course, it implies that you do not use a namespace in your current file
You could use the function var_dump() prefixing it with the root namespace(): \var_dump()
Of course, all others native function will continue to work as usual as long as you do not override them in your namespace.
Why don't you use serialize() or json_encode() if you have a large database? That will be very useful.
But take note, serialize() will give you a 1-line output somewhat like this:
's:0:"";s:5:"value";'
So you need to learn the anatomy of serialize() to use it: PHP Serialize
I want to hook before execution / or replace standart core functions, for example i im going to prevent both include and require accesa to any scripts. Is any way to make it without any extra .dll's? Or another case is_array($myarr); i would be to hook at array($myarr) === $myarr; (looks like it is faster) to avoid creating extra classes and functions.
Ps and one more question : how to prevent all php execution after some moment? I have html templates with php parts <?=$myvar?> i want to prevent short sintax and execution at all when my script ends work, what i have to try?
About hooks to standart functions: there is no way to do that without external modules. APD PECL module
will do the job.
rename_function('require', 'internal_require'); // saving reference to original function
override_function('require', '$filename',
'print "require called"; internal_require($filename);');
Second question is not very clear. Do you want to hook on standart is_array function, to array() lexical construct or (array) type casting?
About stopping php interpretation: have a look at __halt_compiler function. But keep in mind that succeeding blocks of php will be just embedded in HTML (thus visible to everybody).
If you want to disable functions, you can use safe mode, but it is deprecated and not recommended. And as madfriend says, __halt_compiler just sends everything below it as text. Bear in mind that it can only be called from the outermost scope - I.e. not inside curly braces (if, loops, functions etc.)
Right now, I have a script which uses PHP's tokenizer to look for certain functions within a PHP source code file. The pattern I am currently looking for is:
T_STRING + T_WHITESPACE (optional) + "("
This seems to match all of my test cases so far except variable functions, which I am ignoring for the purposes of this question.
The obvious problem here is that this pattern produces a lot of false positives, like matching function definitions:
public function foo() { // foo() should not be matched
My question is, is there a more reliable/accurate method for looking at source code and plucking out all the function invocations? Maybe a better method than using the tokenizer at all?
Edit:
In particular, I'm looking to emulate the functionality of the disable_functions PHP directive within a class file. So, if exec() should be disallowed, I'm trying to find any uses of that function within the analyzed file. I do realize that variable functions make this terribly difficult, so I am detecting these and disallowing them as well.
You first run the tokenizer (available in PHP). Then you run a parser on top of the tokens. The parser needs to read the tokens and should be able to tell your what a specific token has been used for. It depends on the reliability of your parser how reliable the outcome is.
If your current parser (you have not shown any code) is not reliable enough, you need to write a better parser. That simple it is. Probably you're not doing much more than just tokenizing and then reading as it passes which just might not be enough.
Instead of using the tokenizer, consider instead using a higher-level parser to analyze your code. For example, PHP-Parser can explicitly identify function declarations, as well as variable function calls.
I have a string that stores some variables that must be executed to produce a result, for example:
define('RUN_THIS', '\$something.",".$somethingElse');
Which is then eval()-uated:
$foo = eval("return ".RUN_THIS.";");
I understand that eval is unsafe if the string that gets evaluated is from user input. However, if for example I wanted to have everything run off Facebook's HipHop which doesn't support eval() I couldn't do this.
Apparently I can use call_user_func() - is this effectively the same result as eval()? How is deemed to be secure when eval() isn't, if that is indeed the case?
Edit:
In response to the comments, I didn't originally make it clear what the goal is. The constant is defined in advance in order that later code, be it inside a class that has access to the configuration constants, or procedural code, can use it in order to evaluate the given string of variables. The variables that need to be evaluated can vary (completely different names, order, formatting) depending on the situation but it's run for the same purpose in the same way, which is why I currently have the string of variables set in a constant in this way. Technically, eval() is not unsafe as long as the config.php that defines the constants is controlled but that wasn't the point of the question.
Kendall seems to have a simple solution, but I'll try to answer your other question:
Apparently I can use call_user_func() - is this effectively the same result as eval()? How is deemed to be secure when eval() isn't, if that is indeed the case?
call_user_func is actually safer than eval because of the fact that call_user_func can only call one user function. eval on the other hand executes the string as PHP code itself. You can append '; (close the string and start a new "line" of code) at the end of the string and then add some more code, add a ;' (end the line of code and start another string so that there is no syntax error), thus allowing the constant RUN_THIS to contain lots of PHP code that the user can run on the server (including deleting all your important files and retrieving information for databases, etc. NEVER LET THIS HAPPEN.
call_user_func doesn't let his happen. When you run call_user_func_array($func, $args) the user can only run a restricted set of functions because: (a) the function has to be user defined (b) you can manipulate $func to ensure the user isn't able to run any function he/she wants either by checking that $func is in a list of "allowed functions" or by prefixing something like user_ to the function names and the $func variable itself (This way the user can run only functions beginning with user_.
I can't see any reason why you can't just use double-quote string building.
$foo = "\$something,$somethingElse";