I am using ckeditor in a simple cms i build with the following configuration.
<script>
if ($("#editor").length) {
CKEDITOR.replace('editor', {
language: 'en',
allowedContent: true,
});
CKEDITOR.config.protectedSource.push(/<\?[\s\S]*?\?>/g);
}
</script>
It works great if go to the source tab on the editor and type some php code like the following:
<?php echo "hello"; ?>
it gets saved on the database as <?php echo "hello"; ?>
so far so good
Now my problem is when getting that from the database and displaying it on the browser it does no appear.
I did a var_dump on the variable that has the code and i see the following:
...modules\pages\views\base.php:38:string '<?php echo "hola"; ?>' (length=21)
So the value does exist and its reaching the view, i dont undestand why it is not showing up on the page.
the page is template.php
if i look at the source code my php code is beingg commented
<!--?php echo "hola"; ?-->
and this is how i am trying to display the code
if i do the following
<div class="article-content-container">
<?php echo $this->security->xss_clean($content); ?>
</div>
it is displayed like
<div class="article-content-container">
<?php echo "hola"; ?><!--?php echo "hola"; ?-->
</div>
if i displayed like this
<div class="article-content-container">
<?php echo $content; ?>
</div>
it gets commented.
I hope i was clear,any help would be appretiated.
Thanks guys-
Browsers don't interpret PHP code, and they don't know the slightest thing about it. They never have and they never will. PHP code is executed on the server; from there it produces some output that is echoed to the client's browser, usually HTML, but can also be CSS or JavaScript, images or other downloadable files.
If you output PHP code, the most the visitor can do with it is manually save it to a local file, install their own PHP software, and run it in that. It's never going to magically run in the browser, no matter what you do.
If you want to run some code in the browser, it must be JavaScript. If you want to run some PHP code on the server, don't echo it, eval it:
<div class="article-content-container">
<?php eval($content); ?>
</div>
Note that eval treats its input as already having a PHP open tag, so you would pass echo "hello"; to it rather than <?php echo "hello"; ?>. You can still use ?> within the eval'd code to drop back to HTML+PHP mode if you need to.
Either PHP or JavaScript code could trivially be designed to be hostile, and so submitting any markup or code for execution on your website must be treated as a privileged action. You must make sure not to allow anyone who is not an authenticated administrator of your website to do it. There are ways to sandbox or purify such code if you really have to allow random people to run it, but that is more complex. CodeIgniter's xss_clean is an incomplete attempt to stop XSS, and is certainly not designed for executing user-submitted code safely, although it will mangle code and make it annoying to write.
In general:
If you need to execute submitted PHP then use eval($content);.
If you need to output submitted HTML, which may include executable JavaScript, then use echo $content;.
If you need to output submitted plain text (which is the only form where it is normally safe to allow input from users), then use echo htmlspecialchars($content);.
If you don't save your php tags in the database, you could use eval() for running the saved code:
eval($this->security->xss_clean($content));
Only when the saved bit is not surrounded by <?php and/or ?>
EDIT: Letting people run code from a database or even saving code in a database is a potential risk. It could be exploited.
Related
Rookie here, so please correct me if I have anything wrong.
So here's a snippet of my HTML:
<html><body>
<h2>Home Page</h2>
Welcome back <?= $fgmembersite->UserFullName(); ?>!
</body></html>
The function, $fgmembersite->UserFullName(), returns a string (100%, if I call the function within tags it prints out correctly). How do I get it to echo out in the HTML?
I think an alternative would be to echo the entire HTML code, and I think it'd work then, but I don't want to do it that way because I read somewhere that echoing all of your HTML is bad. Could somebody also confirm/deny that?
Right now, this is what shows on the site:
Welcome back UserFullName(); ?>!
No idea why
Thanks for your time!
I think you want the code to look like this...
Welcome back <?php echo $fgmembersite->UserFullName(); ?>!
This will ECHO the result of the function call.
What you are seeing is the result of the browser trying to parse the PHP. It is trying to treat <?= $fgmembersite-> as an unknown tag and then renders the rest as text.
There are two possible reasons for this:
You need to pass it through a PHP engine first.
You need to access the file through a web server which supports PHP and is configured to run your file through PHP when it is requested (typically this is done by using a .php file extension).
Note that installing a web server then double clicking a PHP file in your file manager isn't sufficient - the browser will just load the file from the file system. You need to type http://etc etc.
It is also possible that you have short_open_tag disabled (which is common and sensible) and are using PHP 5.3 or older (which isn't a great idea, 5.3 is still supported but it is the oldest branch that is).
If this is the case, your options are:
Upgrade PHP
Use <?php echo ... ?> instead of <?= ... ?>
Enable short_open_tag
Can't you just do
<?php echo $fgmembersite->UserFullName(); ?>
?
use it as follows:
<html><body>
<h2>Home Page</h2>
Welcome back <?php echo $fgmembersite->UserFullName(); ?>!
</body></html>
Do you have short_open_tag enabled on your server? You need to have that enabled to use that syntax. If you don't have that, use <?php echo $fgmembersite->UserFullName(); ?> like the other users suggested.
You can check the setting on you server by creating a file containing <?php phpinfo(); in it, and accessing that.
Also, echoing all your HTML inside the <?php tags are considered a bad practice because you should separate your business logic and your HTML. Echoing HTML directly from inside the PHP tags quickly leads to a mix of HTML and PHP, and it will be harder to read (for others, and yourself later on)
i am a bit confused when i use conditional statements like
<?php
if(isset($_POST['somevalue'])){
?>
<h1> this is out side php mode now </h1>
<?php
}else {
?>
<h1> again its out php mode </h1>
<?php
}
?>
but yet it still works i mean if $_POST['somevalue'] is set then it outputs "this is out side php mode now" if not it outputs "again its out php mode" my question is if i am outside php mode how does it work then?
I think your question is "how PHP works".as we know php is a server side language.it executes in the server but the scope of the html code will be inside the if loop.so
<?php
if(isset($_POST['somevalue'])){
?>
will be evaluated in server and not in the html part and that will be either true or false.
so after the execution in server your code in front end i.e. in the html part will be like this
<?php
if(1){
?>
<h1> this is out side php mode now </h1>
//as above code is markup language so it will be interpreted by the browser
<?php
}else {
?>
<h1> again its out php mode </h1>
<?php
}
?>
NOTE: the delimiters is for the server to know that the code inside the tag is php code and it will execute it accordingly.
Although you have closed off the executable section of the PHP code, the surrounding if statement and the curly braces will actually have a higher priority as to what is executed and what isn't.
<?php
if
{
// This is considered inside the statement
// and will only be sent if the execution
// makes it inside the statement.
?>
...
<?php
}
else
{
}
?>
// Anything here is simply sent to the browser
// as it will always executed.
<?php
// more code etc
?>
Anything inside the IF statement is considered part of the IF - even if it contains close/open PHP tags.
Basically the PHP control structure overrides open/close tags. This means any sort of if, switch, function etc etc has a higher priority than open close tags.
That's one thing I love about php.
Initially, the main reason is as #Fluffeh mentioned that you are still within the "if" statement.
One way I could put it is that, PHP allows to be embeded in side HTML code. As long as the file has a .php extention then (someone correct me if I'm wrong) Apache knows to use the PHP processor to process that file. It will process the php coding and display the HTML sections in it as well.
Your question is some what similar to
<?php
$name = "Tom";
?>
<h1>Hello <?php echo $name;?>!</h1>
The result will come out as Hello Tom!
it is the same idea as it is inside the php.. satisfy each of the condition and it will run its corresponding statement..
this is one of the best features of php, which allow us to use native html codes rather than putting it inside echo.
A PHP file is processed as plain text/html until it reaches a <?php tag when it executes the php code. When it reaches the closing ?> it processes it as plain text again.
This is exactly the same, but with echo and quote marks around the html you want to print. If you're having trouble reading the code I suggest indenting as needed.
<?php
if(isset($_POST['somevalue'])){
echo "<h1> this is out side php mode now </h1>";
}else {
echo "<h1> again its out php mode </h1>";
}
?>
The way you posted it.
<?php
if(isset($_POST['somevalue'])){
?><h1> this is out side php mode now </h1><?php
}else{
?><h1> again its out php mode </h1><?php
}
?>
Sorry for the vague title but it's hard to describe what I mean in a few words.
I made my own cms and use it for all my personal projects. On some pages I want to include a php script in the content area. I load the content simply by echoing the variable that holds the content.
The template file looks like this:
<div id="content">
echo $content;
</div>
In my CRUD I make a post containing a php snippet.
<?php echo "My name is ".$var.""; ?>;
Then I save it and load the page and this is what happens:
<div id="content">
echo <?php echo "My name is ".$var.""; ?>;
</div>
But what I want is that the php code get's executed instead of getting echoed.
Something like the Wordpress plugin Exec-PHP. Can anybody explain to me how to achieve this?
Thanks in advance!
You could use the PHP eval() function to execute PHP code. Be aware though, if you ever allow users to insert text that may at some point be run through eval(), you could end up with some serious problems.
The php website says:
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
You can try php eval() func. But it is considered evil.
Rather than use PHP instructions, why don't you output to HTML, and use Javascript to execute what is displayed? There is no danger to your server that way. Others have already warned about the dangers of eval() in PHP.
The best way to describe my website is to simply give you a link so that you can look at it: http://opensourcewebsite.host22.com/editpage.php. Basically, this is a website that people who are learning how to design websites can go on and test their code. I already know that in the sites current state, it is very susceptible to various attacks. Note that this is not the finished site. Users will enter their code in the textare and when the submit button is clicked, the code is saved in a php variable which is then displayed on the web page. Currently you can use html code, css, and javascript code and have it display correctly.
My problem is that I want the user to be able to enter php code in the textarea and have it display the results on the webpage. Feel free to go to my site and enter code to get a feel for how the page works. When you enter php code you get something similar to the following:
When you enter
<?php $hi = "hello"; ?>
<?php echo '<p>$hi</p>' ?>
it will show the following in the source code
<!--?php $hi = "hello" ?-->
<!--?php echo '<p-->$hi<p></p>' ?>
The below code is how I echo the source code in the text area
<div id="editArea"><?php echo stripslashes($source_code) ?></div>
Is it even possible to store php code in a php variable? Any help would be greatly appreciated!
Additionally, if you want it to execute as code, use eval($code);
Though, I have to say what you are doing sounds extremely dangerous.
I'm learning all this web programming stuff after years writing .EXE Windows programs so bear with me.
I developed a basic .php and mysql website that works fine.
But I went to add javascript code to my index.php and I don't think the javascript code is executing.
My index.php has the form:
<?php
require_once blah blah
call_my_php_functionBlah();
?>
Then I added this code inside the php blocks of the '<\?\php' and "\?>" as follows:
<script type="text/javascript">
// some known-good javascript code that displays an image
</script>
Nothing showed up.
So I thought "ah-HAH, I blew it, all I need to do is -- move the javascript code outside
of the php block, at the bottom of index.php, and surely I'm good to go."
And still, Nothing showed up.
I checked the source of my 'known-good' javascript code and it said 'embed this javascript code
in your HTML file' so I thought "wow, I guess I need an index.html or something here."
So my questions:
1) should my index.php be able to run the javascript block of code?
I'm guessing 'No because index.php executes on the server and javascript runs on the client machine.'
2) How should I architect this if I want to keep my index.php, whose code works fine and I don't want to mess with it?
I'm thinking that this is an extremely basic client/server, php and javascript script organization issue that every web programmer knows how to handle, but like I said, I'm new to all this. I read in the archives about .htaccess etc. etc. but I
bet there's an easier way, and I'm not sure if the stuff I read applies.
the file name extension is completely irrelevant
PHP executes on the server and doesn't care at all about any Javascript
code inside <?php ?> tags must of course be valid PHP code to be executed by PHP
your browser receives whatever the result of your PHP execution is
you can use PHP code to output Javascript or simply have Javascript on the same page outside of <?php ?> tags
only whatever the browser receives matters, so use View Source
look at the browser's Javascript Console to debug client-side Javascript problems
Then I added this code inside the php blocks of the '" as follows:
Dont add your script inside the php block bring it outside php block.
After you are done with script you can reopen php block and write php again
index.php can run javascript, just that You need to echo the javascript code to put it in the page.
Anything that appears inside your php open/close tags has to be echoed or printed to be rendered to the html page. Anything outside your php open/close tags should appear in your html page but whether it works correctly or not is another matter not necessarily related to your php. The php interpreter doesn't run your javascript code, however, so it can't just sit inside your php tags.
Javascript will run inside .php file.
But you have to write outside the tags.
Eg:
index.php
<?php
echo "Helloooooo";
?>
<script>
function TestingMyFirstScript()
{
alert(1)
}
</script>
Javascript will execute in a PHP file but not inside of a PHP block. It executes in the server, yes and anything coming from PHP should be printed out to see. You should have the JS code outside of the PHP block and it can be anywhere in the page e.g.
It depends how to mix/match the code but of course keep it clean and easy to read (and debug).
<?php
// code here
?>
<script type="text/javascript">
// JS here
</script>
<?php
// some more code here
?>
Answer to both of your question is that you dont have to create a separate html file to execute your JS code. You can have HTML, JS, and PHP code in the same file. PHP code inside the PHP tags will be processed on the server and replace with HTML. The server generated HTML will be combined with other HTML present on the .php file and sent to the browser as one HTML.
There must be some error in the JS code which is causing the script to fail.
<?php
require_once blah blah
call_my_php_functionBlah();
?>
<script type="text/javascript">
// some known-good javascript code that displays an image
</script>
<?php
// other php code
?>
Most of the above comments should help you with your PHP + JS problem. However, if you are still getting errors with your output, try using:
alert("breakpoint 1");
//some code
alert("breakpoint 2");
throughout your Javascript function (it will show you where the code is failing). Good for beginners debugging. Also check out http://www.jslint.com/