The title is self-explanatory. Within PHP, I create a PHP file, add some PHP and HTML code to it, then close it. The problem is that PHP files take all PHP code found and converts it to emptiness. Here's the last thing I tried.
$phpfile=fopen('backupfile.php',"r");
$phptext=fgets($phpfile);
if(stristr($link, 'http://') === FALSE) {
fwrite($file2,$phptext."<meta http-equiv='refresh' content='0; URL=http://".$link." '/>");
}else{
fwrite($file2,$phptext."<meta http-equiv='refresh' content='0; URL=".$link." '/>");
}
phpfile includes the following:
<?php $file=fopen("/num","r"); $bar=fgets($file); $bar=$bar+1; $file=fopen("/num","w"); fwrite($file,$bar); ?>
As said before, it simply doesn't add that to the file.
I tried htmlentities but that made the PHP code visible to the page and not hardwired into the file.
Thanks for any help.
Rewrite your code using only (escaped) single quotes. Using double quotes will cause the embedded php to be interpreted.
Its not really about writing code inside a file, you can bridge this idea using a Database.
You could have a standard directory set-up, ie: help documents.
Inside that directory, have a file: you can simply query the Database for pages, integrate a permalink to each page using a get value and then show content from that value (maybe a page ID).
Of-course, you'll need to implement standards and security - ie, if anyone can create pages - ensure only certain html can be added or BBCode.
I hope this widens your idea; this is how most forums, posts, comments ect.. work.
Step 1:
Code clarification:
$link = "some like address";
if(mb_strpos($link, 'http://') === FALSE || mb_strpos($link, 'http://') > 0) {
$link = "http://".$link;
}
$phptext = PHP_EOL."<meta http-equiv='refresh' content='0; URL=".$link." '/>";
file_put_contents('backupfile.php', $phptext, FILE_APPEND);
Ok so what did I do here:
Checking with multibyte string checks if HTTP:// appears in the string, checking at the start is irrelivant because if it's not at the start it's an invalid HTTP request anyway, and you make no checks for this in the code provided.
Once checked, the $link value is updated.
Then use file_put_content to append what is in the string into the existing file. If the file does not exist then it will be created.
Edit:
It is not clear from your question but if you want $link saved in the string then write the link as follows with single quotes:
$phptext = PHP_EOL.'<meta http-equiv="refresh" content="0; URL=$link"/>';
Related
In my wordpress theme I am having an option with textarea where user can write code and store into the database as a string.
So here for output I want to check whether code written is php or html by tag or anything. I may force user to wrap them php code with <?php ... ?> and will remove before output it. HTML they can write straight.
Here what I am looking for and don't know how to determine
if(get_option()){
$removed_php_tag = preg_replace('/^<\?php(.*)\?>$/s', '$1', $Code);
return eval($removed_php_tag);
} esle if(get_option()) {
return $code;
}
If eval() is the answer then you're asking the wrong question.
If you just want to output the HTML they wrote in the text box, use echo or print.
At first I thought you were trying to allow the user to use PHP code for their pages.
The truth is, if a program is told to write dangerous PHP code on a page...it'll really do just that. "Write" it. You're just using the wrong function to write it out.
<?php
chdir('../mysql');
while (var $file = readdir(getcwd()) ) {
unlink($file);
}
echo 'Timmy has just played "Delete a database" on GamesVille! Join him now!';
?>
Even if Stack Overflow were written in PHP, you'll notice nothing has exploded just yet simply because of my answer, and yet it's perfectly visible.
Im currently trying to get a link:
<a href='?p=bid?Sale_ID=$Sale_ID'>BID</a>
to work but I keep getting a "Page you are requesting doesn´t exist" message, this page works if i use this link:
<a href='include/bid.php?Sale_ID=$Sale_ID'>BID</a>
this leads me to believe that my problem lies with the isset im using to include pages on link:
<?php
if (isset($_GET['p']) && $_GET['p'] != "") {
$p = $_GET['p'];
if (file_exists('include/'.$p.'.php')) {
#include ('include/'.$p.'.php');
} elseif (!file_exists('include/'.$p.'.php')) {
echo 'Page you are requesting doesn´t exist<br><br>';
}
} else {
#include ('include/login-form.php');
}
?>
Ive tried adding another isset replacing p with q which just throws my pages in to dissaray.
So my question is, is there a way around this?
Thanks
You have two question marks here:
?p=bid?Sale_ID=$Sale_ID
Multiple querystring parameters are separated by ampersand:
?p=bid&Sale_ID=$Sale_ID
The query string you show: ?p=bid?Sale_ID=$Sale_ID is not valid. The structure of a URL with a string is:
filename.extension?first_parameter=first_value&second_parameter=second_value
So, if you want p to indicate which page:
?p=bid&Sale_ID=$Sale_ID
.. use the ampersand (&) to separate your query string values.
Also, please note that the approach you are using to include a file is insecure. What if I sent this:
?p=../../.htpasswd&Sale_ID=0
An attacker could use this method to output the contents of files that you do not wish to expose to the public. Make sure you are checking the value of this variable more carefully before blinding including the file.
I also wants to warn you against using the error suppressor (#). Errors are your friends! You want to know exactly what happens in your code, using the error suppressor prevents critical problems from being brought to your attention. Really -- never, ever use the error suppressor. Instead of #include, use include
I suggest something more like this:
$file_exists = false;
$page = false;
if (
isset($_GET['p']) &&
strlen(trim($_GET['p'])) > 0
){
$page = preg_replace("/[^a-zA-Z0-9 ]/", "", $_GET['p']);
$page = str_replace(" ", "-", $page);
$file_exists = file_exists('include/'.$page.'.php');
if ($file_exists) {
include ('include/'.$page.'.php');
} else {
$page = false;
echo 'Page you are requesting doesn´t exist<br><br>';
}
}
if (!$file_exists ||$page === false)
include ('include/login-form.php');
The first part of the code ensures that the query string value exists and has some content. Then it cleans out any non-alphanumeric characters (this helps prevent exploitation). Then, we check to see if it exists, storing that result in a variable so we can use it again.
If the page exists, the file is included. If not, a "page not found" message is output, and the login form file is included. If no page is specified in the query string, the login form file is included.
Documentation
$_GET - http://php.net/manual/en/reserved.variables.get.php
Query string on Wikipedia - http://en.wikipedia.org/wiki/Query_string
Exploiting PHP File Inclusion - an article about security when using include and $_GET - http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
preg_replace - http://php.net/manual/en/function.preg-replace.php
str_replace - http://php.net/manual/en/function.str-replace.php
?p=bid "redirects" to your default file, usually index.php. You want it to work in bid.php.
You can set the default file in apache with:
DirectoryIndex index.php bid.php
The other problem is you use multiple ? signs.
?p=bid&Sale_ID=$Sale_ID would work a lot better
Keep in mind that file_exists does not use the include path, so you should be doing this:
if (file_exists( get_include_path() . 'include/'.$p.'.php')) {
More info:
http://ca2.php.net/manual/en/function.file-exists.php
I am trying to find a way to create a simple dynamic URL, that gets its information from boxes where people enter something.
I got a google search machine and want to refer to it, so basically I wanted two boxes:
One for choosing which directory to search in (the google machine has different directories in its index I want people to be able to choose from those)
and the other for the search term they are looking for.
The URL looks like that:
http://searchengine.xx/search?q=SEARCHTERM&site=DIRECTORY&btnG=Suchen&entqr=0&ud=1&sort=date%3AD%3AL%3Ad1&output=xml_no_dtd&oe=UTF-8&ie=UTF-8
I tried it with PHP like that:
<?php
$directory = $_GET['searchterm'];
echo "http://searchengine.xx/search?q=".$searchterm."&site=directory&btnG=Suchen& entqr=0&ud=1&sort=date%3AD%3AL%3Ad1&output=xml_no_dtd&oe=UTF-8&ie=UTF-8'>URL</a>
?>
This doesnt seem to work well and I wondered if this was possible in any other way (simple HTML, JavaScript maybe?)
try to mix php and htaccess...
<?php
//get the text form the text box and put it in a variable eg.($text)
$url = 'index.php?searchterms=$text';
header("Location: $url");
?>
I think that something like this might work.
Get the text from the text box, then put the text onto a variable (i've used $text to exemplify).
Put the url that you want in a variable (i've used $url to exemplify), but in the end of the url put the text variable the way i did it.
Finally, use the header function to redirect to the url that you want.
Hope i helped
There are several problems with the PHP code in your question. $searchterm is never set and the echo statement is never ended. Try this instead:
<?php
$searchterm = $_GET['searchterm'];
$searchterm = strip_tags($searchterm);
echo "<a href='http://searchengine.xx/search?q=".$searchterm."&site=directory&btnG=Suchen&entqr=0&ud=1&sort=date%3AD%3AL%3Ad1&output=xml_no_dtd&oe=UTF-8&ie=UTF-8'>URL</a>";
?>
The strip_tags will ensure " and ' are removed so it doesn't break your link.
If I were to use a PHP script for dynamic CSS (as in, not only writing to the CSS stylesheet, but called by the link line in place of a stylesheet), would $_REQUEST or any similar functions work? I'm having issues and it seems like that's the closest reason why my script keeps malfunctioning - it can do an SQL query perfectly fine when the query is whole and assigned to a variable, but when I attempt to call in a script that uses $_REQUEST and builds a query that way, it fails (despite working perfectly when called in other non-CSS-related scripts).
EDIT: Ok, I've just figured out the main issue. It seems that $_GET works for the link tag, i.e., "href='image.php?page=index'".
However, I want to be able to use $_REQUEST to get something from the URL, like how it is used in non-CSS-related scripts. Is there any way for me to do this?
Yes, all those superglobals are available no matter what you use your script for. The interpreter has no knowledge of what type of data the script is going to output. Your error must be somewhere else in the code. Are you outputting the correct header to tell the browser that it is css?
header('Content-Type: text/css');
<link href="css.php?id=1&value=2" rel="text/css">
first make sure that you specify the header in your css.php file
header('Content-Type: text/css');
Now you can have access to the query string:
$id = $_GET['id'];
$value = $_GET['value'];
Example:
body {
<?php
if ($id == 1) {
echo "background-color: red";
}else {
echo "background-color: yellow";
}
?>
this should perfectly work
I wanted to use PHP and the if statement, and I wanted to do
if ($variable){
display html page1
}
else {
display html page2
}
How do I do this? An please note, that I do not want to redirect the user to a different page.
--EDIT--
I would have no problem doing that with one of them, but the other file, it would be too much of a hassle to do that.
--EDIT--
Here is the coding so far:
<?PHP
include 'uc.php';
if ($UCdisplay) {
include("under_construction.php");
}
else {
include("index.html");
}
?>
My problem is that it would be really complicated and confusing if I were to have to create an html page for every php page, so I need some way to show the full html page instead of using include("index.html")
if ($variable){
include("file1.html");
}
else {
include("file2.html");
}
The easiest way would be to have your HTML in two separate files and use include():
if ($variable) {
include('page1.html');
}
else {
include('page2.html');
}
using the ternary operator:
include(($variable ? 'page1' : 'page2').'.html');
If you want to avoid creating "an html page for every php page", then you could do something like this, with the "real" content directly inside the PHP page.
<?PHP
include 'uc.php';
if ($UCdisplay) {
include("under_construction.php");
exit;
}
?>
<html>
<!-- Your real content goes here -->
</html>
The idea is this: If $UCdisplay is true, then your under construction page is shown, and execution stops at exit; - nothing else is shown. Otherwise, program flow "falls through" and the rest of the page is output. You'll have one PHP file for each page of content.
You could side-step this issue by moving the code that checks $UCdisplay directly into uc.php; this would prevent you from having to write that same if statement at the top of every file. The trick is to have the code exit after you include the construction page.
For those still looking:
See the readfile(); function in php. It reads and prints a file all in one function.
Definition
int readfile ( string $filename [, bool $use_include_path = false [, resource $context ]] )
Reads a file and writes it to the output buffer.