I have created a php editor using file function, where users can run code online and get result on the same page.
executephp5.php
<form action="<?php echo $_SERVER['PHP_SELF'];?>"method="post">
<b>Write your code here</b>
<textarea name="code"></textarea>
<input type="submit"value="Run code">
</form>
<?php
$cd=stripslashes($_POST['code']);
#dont write empty textarea
if(empty($cd)) {
echo "";
} else {
$file=fopen("demo.php","w");
echo fwrite($file, $cd);
fclose($file);
}
?>
<b>Results:</b>
<hr>
<?php
error_reporting(E_ALL);
include "demo.php";
?>
demo.php is the target file it is updated by the form.
This all works as expected. My problem is that I want to disable all file, directory, mail() and ftp functions for this editor so that users can not crash the site.
Is there any way to disable those functions only for my editor?
You can pass in disable_functions, i.e "Comma separated list of functions to disable within the sandbox sub-interpreter."
Check Runkit_Sandbox. You should make editor available as sandbox.
Related
I have a form on my website. I wanted to save to input to txt but when I submit data, the .txt file get larger (bytes increase) but no text shows up,
Here is the code
<div>
<form action="controller.php">
<input name="card" id="card" type="email">
<button type="submit" name="submit" >Submit</button>
</form>
</div>
Here is the .php code
<?php
$card = $_POST['card'];
$file = fopen ('file.txt', "a");
fwrite($file, $card . "\n");
fclose($file);
die(header("Location: ".$_SERVER["HTTP_REFERER"]));
?>
I have a sub domain with the same code and it works perfectly fine.
why is it not working and how do I fix?
I tried to change the id and the type
You have a very simple issue here. Let's see why by trying to do this on your file:
print_r($_POST);
You will see that after posting your form, you have no POST data. Your form is, by default (on your server or PHP configuration) sending the data not using the POST method, but the GET one (your other server probably is setup the opposite way).
To fix this, you can either change your $card variable to:
$card = $_GET['card'];
Or rather, and that would be a better option to make it more clear and avoid problems if you migrate your website on another server/PHP version, you could simply specify the method on your tag:
<form action="controller.php" method="post">
Please, don't forget to secure the data that will be written in this file, malicious users exist and if you keep your code that simple, it might be a serious security issue.
I am trying to run a basic script using PHP. I am very beginner in PHP and I am trying to handle some data from a static website.
First, I created via VSC an HTML page which contains the following code:
suggestion.html
<form action="test.php" onsubmit="file_handler()" method='POST'>
Pseudonim: <input type="text" id="name" name='name'><br>
<div class="s">Sugestie:</div> <br><textarea maxlength="800" id="suggestion" name='text'></textarea><br>
<div class="span-ch"><span id="charNum"> </span> <span id="charText"></span></div><br>
<input type="submit" value="Submit">
</form>
The data of this form should be sent through a POST method to test.php, which contains the following code:
<!DOCTYPE html>
<html>
<?php
if(isset($_POST['name']) && isset($_POST['text'])) {
$filename = preg_replace('#[^A-Za-z0-9_-]#', '', $_POST['name']);
$file = $_SERVER['DOCUMENT_ROOT']."/textfiles/$filename.txt";
$f = fopen($file, 'w');
fwrite($f, $_POST['text']);
fclose($f);
echo 'Success.';
} else {
echo 'Error.';
}
?>
</html>
I have done the followings:
I went to windows.php.net. Downloaded the last version of PHP.
I extracted the php zip on C drive.
I installed PHP Debug, Intelephence and extension pack.
I configured PHP executablePath. I added the dict "php.executablePath": "C:\\php\\php.exe"
I run the code in my console and it seems to work.
On the browser, instead of executing the code, it simply renders it on the browser. The main point of this file is to create a text file that should be saved on server side using the input sent via POST method.
For the past two days I've been struggling with this issue. Can anybody help me understand why my php script is not ran when I submit the form?
I much appreciate your time!
I am attempting to load a webpage on my own server which will run a .bat script (on the same server) as below.
When I access the page, called test.php, it display the 'DO IT!' button and when I press it, it just display the content on the .bat file rather than executing it on the server...
What do I need to configure on the server, I assume in the PHP settings, to force it to run the script rather than just display it on the webpage?
For the purpose of the question, I am happy about the security implications of what I am doing.
I am running a Windows machine with IIS and PHP.
<html>
<head>
<title>Restarting</title>
</head>
<body>
<?php
if(isset($_POST['submit']))
{
echo exec('c:\scripting.bat');
echo "Done!";
} else {
// display the form
?>
<form action="" method="post">
<input type="submit" name="submit" value="DO IT!">
</form>
<?php
}
?>
</body>
</html>
I think that the echo exec('c:\scripting.bat'); line it's causing you the problem. Try to just execute it without the echo statement.
If you trying to see the output of the function, you must use the second functions parameter: &$output, acording to the documentation itself. See it in the docs here.
I hope it will be useful to you! :D
Well.... I want to know how to make a script to create a html page. So when the script is executed, it will create a new page. Something like this: mydomain.com/test.html . The script should create the test.html page!
Here is my work:
<form action="index.php" method="post">
<input type="text" name="nick" value="Enter NIck" />
<input type="submit" value="Create" />
</form>
<?php
$nick=$_POST['nick']; // get the users input
$fh=fopen('$nick' , 'W') // Create the page
$contents= include 'sys.php';
fwrite($fh, $contents);
fclose($fh);
echo "Redridectring to your page....";
header('Location: $nick');
?>
Now, what this code should do is create a page, which is called
$nick. So if the input is "bleugh", the $nick should be $nick="bleugh".
Then it will create the page "bleugh", include sys.php, then header to the
page. Is this wright? Will it work?
You cannot use PHP variables that way inside single quotes
Is OK:
"{$nick}"
Won't Work:
'$nick'
But am not sure what you're trying to do with "$contents= include 'sys.php';"? Perhaps you want to capture the output of sys.php into a string? Either way, you need to be careful with vulnerabilities you are opening yourself to.
I think your method by creating a file and then redirect to the file is basically okay. Additional comments:
Make sure the PHP process has write permission to the folder you write into.
Do you really have to include sys.php? You need to write proper html tags into $contents when you really want to create a HTML file.
You should perform redirect before outputting any character, so your redirect would not work because it is preceded by an echo operation.
try this
header('Location: '.$nick.'');
Oops! I figured it out. Had to strip slashes...
Hello, I have the following code to edit my configuration file in the browser. The file content is retrieved and displayed in a text box. Then the edits are saved back into the file. Everything works fine on my development machine but in my hosting account it does not work.
When I save the file, all single quotes are over written adding a backslash in front of them.
How can I change my code to prevent this? Thank you!
<?php
// button javascript
$save_changes_js = "return confirm('Do you want to SAVE the CHANGE(S)?');";
// open web config
$filename = ROOT_PATH.'web.config.php';
$contents = file_get_contents($filename);
if(isset($_POST['txbConfig']) && !empty($_POST['txbConfig']))
{
// save changes to file
$changes = $_POST['txbConfig'];
file_put_contents($filename,$changes);
// refresh page
$destination_url = SITE_URL.'admin/edit-config.php';
header('Location:'.$destination_url);
}
?>
<form action="" method="post" name="editConfig" class="htmlForm">
<div class="editConfigWrap">
<textarea name="txbConfig"><?php echo $contents ?></textarea>
</div>
<input name="submit" type="submit" value="Save Changes" class="gvbtn" onclick="<?php echo $save_changes_js; ?>">
</form>
This happens because your ISP still has Magic Quotes turned on. Ideally, get them to turn it off or find a way to configure it for your account.
If this can't be done, you need to use stripslashes or equivalent. See this other SO question: How to turn off magic quotes on shared hosting?
You've got 'magic quotes' turned on. They are anything but magic.
You can detect this setting and undo the magic by checking for it with get_magic_quotes_gpc or get_magic_quotes_runtime, e.g.
$value=get_magic_quotes_gpc()?stripslashes($_REQUEST['value']):_REQUEST['value'];