I would like to know why the function addcslashes() is ignoring certain characters.
As you will notice in the output at the bottom, ["`","$","""] are being ignored.
This is my example:
<?php
$ADPasswdRaw = $_GET["element_3"]; #data from a web form
$ADPasswd = addcslashes($ADPasswdRaw, "~`!##$%^&*()_+=-][}{\\|:;\"',./<>?");
echo $ADPasswd;
?>
Output
\~\`\!\#\\\#$\%\^\&\*\(\)\_\+\-\=\;\:"\'\<\>\?\,\.\/
Thanks
This must be a problem with my input.
This is unclear and old at this point.
Related
I need to remove the beginning part of a URL:
$test = "price/edit.php";
echo ltrim($test,'price/');
shows dit.php
Here is a codepad if you want to fiddle: https://codepad.remoteinterview.io/DominantCalmingBerlinPrice
Any ideas what is going on? I want it to echo edit.php of course.
ltrim removes ALL characters found, consider the following:
$test = 'price/edit.php';
echo ltrim($test, 'dprice/'); // outputs t.php
For this particular scenario, you should probably be using str_replace.
The second argument to ltrim() is a character mask (a list of characters) that should be removed. e is a character that should be removed and so it is removed from edit.
There are many string manipulations that you could use, however since this is a filename/filepath the correct tool is a Filesystem Function, basename():
echo basename($test);
For more information on the filepath check into pathinfo().
Hi I have faced the same problem some time ago and found this solution use it if it suits your need
<?php
$test = "price/edit.php";
echo ltrim(ltrim($test,'price'),'/');
output
edit.php
but i must say you should use basename as all type problem
<?php
$test = "project/price/edit.php";
// echo ltrim(ltrim($test,'price'),'/');// this will give oject/price/edit.phpedit.php
echo basename($test); // and it will generate edit.php
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
I'm away from a computer with PHP installed and was wondering what the result of strip_tags() would be on the following text:
"<scr<h1>ipt>alert('oh oh')</scr</h1>ipt>"
Would it return:
"<script>alert('oh oh')</script>" (i.e. not recognize that by removing the obvious tag it exposed a new one)
or
"alert('oh oh')
I know that if it returns the first case I can just repeatedly call the function until I get out what I put in, but I'm curious.
Thanks in advance.
Great question.
Nope, it doesn't strip anything from that string:
<?php
$b = "ipt>alert('oh oh')ipt>";
echo strip_tags($b);
?>
And the output is your original string: ipt>alert('oh oh')ipt>
Edit
In your second case it will print alert('oh oh') so it strips all that is looking like a tag in a single step
It returns just:
alert('oh oh')
I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below.
http://mysite.com/processget.phtml?search=Hacked
I'm able to inject any kind of script into my above URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want.
For ex.The user should only be able to enter
http://mysite.com/processget.phtml?search=A123123+*$
So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain.
if (!empty($_GET['search'])) {
$search = htmlentities($_GET['search'],ENT_QUOTES,'UTF-8');
echo $search;
}
Now it's safe.
But if you want to limit to specific symbols, then you need to use regular expressions.
You can let a user enter whatever you like; the key is to escape the output. Then the string is displayed as desired, rather than included as HTML.
Use a php function like htmlentities
Strip the tags:
echo strip_tags($_GET['search']);
Actually, you may want htmlspecialchars instead, which escapes the tags instead of removing them so they display as intended:
echo htmlspecialchars($_GET['search']);
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.