So I have a page called create.php that creates another php file called "1". In this php file called "1". I was hoping to use
<?php echo $_SERVER['PHP_SELF'];?>
or
<?php $path = $_SERVER["SCRIPT_NAME"];echo $path;?>
To create a link that would take the number of the page and +1 it. When I do both of these functions instead of getting what I would think I would get, "1", I get "create", the page that it was created with. I'm quite dumbfounded by why this is happening, the code is most definitely on "1" and I even double checked to make sure create made a file and that I was on it so why does it think the current page is "create"?
Code being used
<?php
// start the output buffer
ob_start(); ?>
<?php echo $_SERVER['PHP_SELF'];?>
<?php
// open the cache file "cache/1" for writing
$fp = fopen("cache/1", 'w');
// save the contents of output buffer to the file
fwrite($fp, ob_get_contents());
fclose($fp);
ob_end_flush();
?>
You split the code in pieces and you probably have a wrong idea about what happens and what will be written in cache/1. Your code is the same as the following:
<?php
// start the output buffer
ob_start();
// echo the path of the current script
echo $_SERVER['PHP_SELF'];
// open the cache file "cache/1" for writing
$fp = fopen("cache/1", 'w');
// save the contents of output buffer to the file
fwrite($fp, ob_get_contents());
fclose($fp);
ob_end_flush();
I removed the closing PHP tag (?>) when it was followed by an open PHP tag (<?php).
Now it should be clear that, without output buffering, the script create.php display its own path relative to the document root. The output buffering captures the output and puts it into file cache/1.
You don't even need output buffering for this. You can simply remove all the calls to ob_* functions, remove the echo() line and use:
fwrite($fp, $_SERVER['PHP_SELF']);
It's clear that this is not your goal. You probably want to generate a PHP file that contains the following content:
<?php echo $_SERVER['PHP_SELF'];?>
This is as simple as it putting this text into a string and writing the string to the file:
<?php
$code = '<?php echo $_SERVER["PHP_SELF"];?>';
$fp = fopen("cache/1", 'w');
fwrite($fp, $code);
fclose($fp);
You can even use the PHP function file_put_contents() and all the code you posted in the question becomes:
file_put_contents('cache/1', '<?php echo $_SERVER["PHP_SELF"];?>');
If you need to put a bigger block of PHP code in the generated file then you can use the nowdoc string syntax:
$code = <<<'END_CODE'
<?php
// A lot of code here
// on multiple lines
// It is not parsed for variables and it arrives as is
// into the $code variable
$path = $_SERVER['PHP_SELF'];
echo('The path of this file is: '.$path."\n");
$newPath = dirname($path).'/'.(1+(int)basename($path));
echo('The path of next file is: '.$newPath."\n");
// That's all; there is no need for the PHP closing tag
END_CODE;
// Now, the lines 2-11 from the code above are stored verbatim in variable $code
// Put them in a file
file_put_contents('cache/1', $code);
Related
How to read a .php file using php
Let's say you have two files a.php and b.php on same folder.
Code on the file b.php
<?php
echo "hi";
?>
and code on a.php
<?php
$data = file_get_contents('b.php');
echo $data;
You access a.php on browser.
What do you see? A blank page.
Please check the page source now. It is there.
But not showing in browser as <?php is not a valid html tag. So browser can not render it properly to show as output.
<?php
$data = htmlentities(file_get_contents('b.php'));
echo $data;
Now you can see the output in browser.
If you want to get the content generated by PHP, then
$data = file_get_contents('http://host/path/file.php');
If you want to get the source code of the PHP file, then
$data = file_get_contents('path/file.php');
Remember that file_get_contents() will not work if your server has *allow_url_fopen* turned off.
//get the real path of the file in folder if necessary
$path = realpath("/path/to/myfilename.php");
//read the file
$lines = file($path,FILE_IGNORE_NEW_LINES);
Each line of the 'myfilename.php' will be stored as a string in the array '$lines'.
And then, you may use all string functions in php. More info about available string functions is available here: http://www.php.net/manual/en/ref.strings.php
I'm using the Redactor editor in a custom built CMS. Redactor has an option, phpTags, which when set to true allows PHP code to be entered and saved as part of the content.
The issue is that this PHP code is being seen as text, not PHP code, and is being escaped rather than being processed.
For example, if I enter this in the editor:
<?php echo date('Y'); ?>
Instead of the year being displayed, the code is commented out in the page's markup, like so:
<!--?php echo date('Y'); ?-->
How can I prevent this from happening? To make sure the PHP code is processed/interpreted as such by the server?
I should probably mention that there are a lot of people using this CMS, so there's no way to know what PHP code may be added in advance.
Perhaps
<!-- <?php echo date('Y') ?> -->
You can't change PHP's opening/closing tags like you are, not without a recompile of PHP. If you want to hide php's output, then surround the entire php code block with html comment tags.
PHP won't care about the html comments. It couldn't care at all what it's embedded in. You could stuff a PHP code block into the middle of a .jpg file and it'd still execute, as long as the webserver's configured to run .jpg files through the PHP interpreter.
To fix this issue I took the content I was previously just displaying via echo, and saved it to a temporary file.
Then I turned on output buffering, included that temporary file in the PHP script, and grabbed its contents via ob_get_contents().
This allowed me to display the content with all the PHP within having been parsed. Here's the code for reference:
// Create path to temporary file
$tmpPath = '/temp.php';
// Set file variable to null for error checking
$tmpFile = NULL;
// Try creating the temporary file
if ( $tmpFile = fopen($tmpPath, 'w') ) {
if ( fwrite($tmpFile, $postContent) === FALSE ) {
// Do something if the file can't be written to
} else {
// Close file
fclose($tmpFile);
}
}
// Start output buffereing
ob_start();
// Include the temporary file created above
include $tmpPath;
// Save buffered contents to a variable
$content = ob_get_contents();
// End output buffering
ob_end_clean();
// Display content
echo $content;
I appreciate the various comments to my question, as it helped prod me in the right direction to getting this figured out.
How to read a .php file using php
Let's say you have two files a.php and b.php on same folder.
Code on the file b.php
<?php
echo "hi";
?>
and code on a.php
<?php
$data = file_get_contents('b.php');
echo $data;
You access a.php on browser.
What do you see? A blank page.
Please check the page source now. It is there.
But not showing in browser as <?php is not a valid html tag. So browser can not render it properly to show as output.
<?php
$data = htmlentities(file_get_contents('b.php'));
echo $data;
Now you can see the output in browser.
If you want to get the content generated by PHP, then
$data = file_get_contents('http://host/path/file.php');
If you want to get the source code of the PHP file, then
$data = file_get_contents('path/file.php');
Remember that file_get_contents() will not work if your server has *allow_url_fopen* turned off.
//get the real path of the file in folder if necessary
$path = realpath("/path/to/myfilename.php");
//read the file
$lines = file($path,FILE_IGNORE_NEW_LINES);
Each line of the 'myfilename.php' will be stored as a string in the array '$lines'.
And then, you may use all string functions in php. More info about available string functions is available here: http://www.php.net/manual/en/ref.strings.php
I have the following code:
<?
$serverurl = $_SERVER["DOCUMENT_ROOT"];
$file = $serverurl.'/demo/sample_php.php';
$newfile = $serverurl.'/demo/sample_php.txt';
if (!copy($file, $newfile)) {
echo "failed to copy $file...\n";
}
$homepage = file_get_contents($serverurl.'/demo/sample_php.txt');
?>
<pre class="code">
<code class="php boc-html-script">
<? echo htmlentities($homepage, ENT_QUOTES); ?>
</code>
</pre>
<? unlink($newfile); ?>
This basically copies a *.php file to a *.txt file, displays the contents, then deletes it. However, I don't want to create a visible file, as the application is designed to display a list of files, then display the contents of the file. Having a file appear with a .txt extension would be confusing.
I realize I could create a folder that is hidden, and do all my converting there, but I am thinking there must be a more efficient way to display the contents of a php file.
I did some experimenting with tmpfile(), but I couldn't get the contents of the php file to write to it.
Any ideas?
There is no reason to do the file copy. file_get_contents() returns the contents of the file as a string, which is all you need. It will not parse and execute the PHP code as include()/require() would.
Just retrieve the contents of the PHP file into the $homepage variable and echo it out as you have done with the temporary text file.
<?php
// get the PHP file directly.
$homepage = file_get_contents($serverurl.'/demo/sample_php.php');
?>
<pre class="code">
<code class="php boc-html-script">
<?php echo htmlentities($homepage, ENT_QUOTES); ?>
</code>
</pre>
After suggestions in the comments to print with highlighting, you can do it more easily with highlight_file():
highlight_file($serverurl.'/demo/sample_php.php');
I've been writing a php/html page encoder/decoder... I know it already exists but it's a university project so go on XDDD
I encode the pages that I want to protect let's say hypothetically with base64_encode and when I receive a request of any pages I have a loader that reads the coded page, decrypts it and with eval executes it. The real problems arise when I try to decrypt and execute a mixed php/html page. Obviously eval can't execute html code so my question is do I really become crazy about splitting the page executing the php code and print the html? And also if I include an encoded php or php/html page do I really have to reuse the method up here?
I hope someone can really help me because i have a week left before the deadline and I can't change the project at this point.
chris here the function and the fisrt calling in $param[0] i've got the filename called
function MyInclude($filename)
{
// create the temp file
$temp_filename = "tmp.php";
$handle = fopen($temp_filename , 'w+');
if (!$handle)
die('Error creating temp file');
// write the decrypted data, close the handle
$tmp=file_get_contents($filename);
$data=MCrypt_Decode($tmp,'PFL_EPU_V100_mia');
fwrite($handle,$data );
fclose($handle);
// start output buffering to contain any output the script creates
ob_start();
try {
include($temp_filename);
} catch (Exception $e) {
die('There was an error in the encrypted file, cannot process');
}
// get the output, clear the buffer
$output = ob_get_contents();
ob_end_clean();
//destroy the temp file
unlink($temp_filename);
// now you can output the buffer, if desired:
echo $output;
}
MyInclude($param[0]);
the $param[0] file here
<?php
session_start();
$_SESSION['title']='Home';
MyInclude("header.php");
?>
<body>
sono il body <?php echo APP_PATH; ?>
</body>
<?
echo "boss";
MyInclude("footer.php");
?>
any idea about it??? or you need some other code??? let me know T_T
Mike
You can eval() a string that contains mixed html and php, just so long as the tags are included.
http://php.net/manual/en/function.eval.php
When eval() encounters a php close tag (?>), it will stop trying to treat it as php code and just echo everything out until it comes to a php open tag.
The typical solution to your problem is something like this:
$file = ... //Your decoded php/html code here
$file = '?>' . $file; //Add a close tag to the beginning;
ob_start();
eval($file);
$output = ob_get_clean();
echo $output; //Or do something else with it... really, if you're
//just going to be echoing it you can skip the output buffering
Is it possible to decrypt the page, write it to a file, then include it? That would let the PHP interpreter do what it does best - interpret PHP documents. That will include HTML/PHP combinations without relying on eval.
The outline of that would be:
// create the temp file
$temp_filename = "tmp.php";
$handle = fopen($filename , 'w');
if (!$handle)
die('Error creating temp file');
// write the decrypted data, close the handle
fwrite($handle, $decrypted_data);
fclose($handle);
// start output buffering to contain any output the script creates
ob_start();
try {
include_once($temp_filename);
} catch (Exception $e) {
die('There was an error in the encrypted file, cannot process');
}
// get the output, clear the buffer
$output = ob_get_contents();
ob_end_clean();
//destroy the temp file
unlink($temp_filename);
// now you can output the buffer, if desired:
echo $output;
Function references
fopen: http://us2.php.net/manual/en/function.fopen.php
fwrite: http://us2.php.net/manual/en/function.fwrite.php
fclose: http://us2.php.net/manual/en/function.fclose.php
ob_start: http://us2.php.net/manual/en/function.ob-start.php
ob_get_contents: http://us2.php.net/manual/en/function.ob-get-contents.php
ob_end_clean: http://us2.php.net/manual/en/function.ob-end-clean.php
unlink: http://www.php.net/manual/en/function.unlink.php
You will need dump the decoded file to another file and include(); it. The eval approach will not work because it will exit with a parse error if the first item in the file is not either an opening <?php tag, or a valid bit of PHP code.
More than this, you will need to find/replace any occurences of include(), require(), include_once(), and require_once() within the encrypted file with a different function, to ensure you don't try to execute another encrypted file before it has been decrypted. You could do this at execution (ie decryption) time, but it would be much better to it a encryption time, to minimise the time required to pre-fetch the code before it is executed.
You can define these customised functions to decrypt a file and include/require it in your loader script.
Your problem description is a bit vague however your problem seems to be solvable with output buffering.
Have you tried decrypting the page, then parsing the text to split out anything between and then only executing that code?