I want to do:
$str = "<? echo 'abcd'; ?>";
if (is_valid_php($str)){
echo "{$str} is valid";
} else {
echo "{$str} is not valid PHP code";
}
Is there a simple way to do the is_valid_php check?
All I can find is online php syntax checkers and command-line ways to check syntax, or php_check_syntax which only works for a file, and I don't want to have to write to a file to check if the string is valid.
I'd rather not use system()/exec() or eval()
Related Question - It's old, so I'm hoping there's something new
Other Related Question - all the options (as far as I could tell) either are no longer supported or use command line or have to check files (not strings)
I don't need a full-fledged compiler or anything. I literally only need to know if the string is valid PHP code.
EDIT: By valid php code, I mean that it can be executed, has no compiler/syntax errors, and should contain only PHP code. It could have runtime errors and still be valid, like $y = 33/0;. And it should contain only PHP... Such as, <div>stuff</div><? echo "str"; ?> would be invalid, but <? echo "str"; ?> and echo "$str"; would be valid
You could pipe the string to php -l and call it using shell_exec:
$str1 = "<?php echo 'hello world';";
$str2 = "<?php echo 'hello world'";
echo isValidPHP($str1) ? "Valid" : "Invalid"; //Valid
echo isValidPHP($str2) ? "Valid" : "Invalid"; //Inalid
function isValidPHP($str) {
return trim(shell_exec("echo " . escapeshellarg($str) . " | php -l")) == "No syntax errors detected in -";
}
Just had another idea... this time using eval but safely:
test_code.php
$code = "return; " . $_GET['code'];
//eval is safe here because it won't do anything
//since the first thing we do is return
//but we still get parse errors if it's not valid
//If that happens, it will crash the whole script,
//so we need it to be in a separate request
eval($code);
return "1";
elsewhere in your code:
echo isValidPHP("<?php echo \"It works!\";");
function isValidPHP($code) {
$valid = file_get_contents("http://www.yoursite.com/test_code.php?" . http_build_query(['code' => $code]));
return !!$valid;
}
Edit: Just saw that you want to rather refrain from using exec().
I think this is going to be very hard without it though, php removed the check_syntax function for a reason.
Maybe ( and I really am just guessing here when it comes to the effort you want to invest ) running the php -l in a container ( docker pretty much these days ) and passing the code via a http call to the docker daemon ( just a run command against the standard php cli would do it here ). Then you could use something like below code example without worries ( provided you don't give any permissions to your container obv ).
You could use exec and the php commandline like this:
$ret = exec( 'echo "<?php echo \"bla\";" | php -l 2> /dev/null' );
echo strpos( $ret, 'Errors parsing' ) !== false ? "\nerror" : "\nno error";
$ret = exec( 'echo "<?php eccho \"bla\";" | php -l 2> /dev/null' );
echo strpos( $ret, 'Errors parsing' ) !== false ? "\nerror" : "\nno error";
which returns:
no error
error
No file needed thanks to piping the output. Also using the redirection to dev null we get no unwanted output elsewhere.
Still surely a little dirty, but the shortest I can come up with.
Off the top of my head, this is easiest.
$str = "<? echo 'abcd'; ?>";
file_put_contents("/some/temp/path", $str);
exec("php -l /some/temp/path", $output, $result);
if ($result == 0){
echo "{$str} is valid";
} else {
echo "{$str} is not valid PHP code";
}
unlink("/some/temp/path");
The reason I didn't use php_check_syntax is because:
it's deprecated
it actually executes the code
Related
Could someone point out what I'm mistaking here? :)
<?php
$q = $_GET[q];
$acuman = <<<PARSE
input: (contains: "hello"){
output: "hello";
}
PARSE;
$acuman = str_replace("input: (contains: ", 'if(strpos(', $acuman);
$acuman = str_replace("){", ', $q) !== false) {', $acuman);
$acuman = str_replace("output: ", '$output = ', $acuman);
eval($acuman);
?>
I'm attempting to execute the string $acuman, a heredoc which has been altered by various str_replace functions. However, it is not doing what I intend it to do, and I am confused as of what to do as I've tried many different things.
Since many people seemed confused: My intention is for the code in the string $acuman to be executed as code properly. I just want the eval function to work. I know that eval is evil, please, stop: I'm just asking for help for solving the problem at hand.
Edit: When I echo the string $acuman, this is what I get:
if(strpos("hello", $q) !== false) { $output = "hello"; }
You have the arguments in the wrong order:
if(strpos($q, "hello") !== false) { $output = "hello"; }
strpos() takes the "haystack" (string being searched) as the first argument and the "needle" (string to find as within the "haystack") as the second argument.
Ok, so... $acuman appears to contain the following:
if(strpos("hello", $q) !== false) {
echo "hello";
}
Which indicates that $q needs to contain a portion of "hello" to echo the string "hello".
I don't see any problem here, EXCEPT that $q = $_GET[q]; won't work with any modern version because q is treated like a constant, not a variable nor a string literal array index. See this PHP documentation on the subject.
Upon changing to $q = $_GET['q']; instead (note the quotes), it seems like this code actually works. It will output "hello" whenever passing any portion of "hello" to the URL parameter (which gets passed to the PHP code).
Needless to say: Do not use this code for production. The code as it is is very vulnerable and allows a user to pass raw PHP code through to your script to execute. The function of this code can be completely re-written in a much safer manner, but you have expressed the desire to continue using eval(); so please be careful.
Enjoy.
I've been struggling to echo the output of a function. I tried this:
echo 'myFunction('foo')';
.. which obviously won't work, due to the extra single quotes. Any suggestions?
Let's take this function :
function getStr()
{
return "hello";
}
It will simply return a string, which means, calling this :
echo getStr();
Has the same exact result as calling this :
echo "hello";
Which means, the result of your function can be treated just like a variable (except you cant modify it), so you can do whatever you want with the result :
$string = getStr() . ' - ' . getStr();
echo $string; // Will print "hello - hello";
After trying a little while, I tried calling echo as an function:
echo (myFunction('foo'));
This works perfectly. I couldn't find this elsewhere on the internet (maybe I'm just a bad googler). Anyways, I thought I could might share this with you guys. In case anyone ever runs into the same problem.
Try this:
echo myFunction('foo');
I wrote a php search script on my site for checking to see if a package exists in a text file or not (I used file_get_contents.) It takes what the user entered and combines it with the string 'BUILD: ' Below is an example of the file and I'll explain in the paragraph following it:
BUILD: packageA
URL: www.package-a.com
BUILD: packageB
URL: www.package-b.com
BUILD: packageC
URL: www.package-c.com
So if a user were to search "packageB", it would be combined with "BUILD: " making the variable I'm testing with have the value: "BUILD: packageB". I have a conditional saying if that string exists or not; everything's working good on that end.
My question/problem is how can I list the URL: line beneath it with an echo? I've been testing some ideas with strlen() and I can't seem to get it and the text file has different strlens for entry. Is there a way to make PHP force a "nextLine()" if there is such a thing... does PHP recognize return delimits?
Thank you!
// The string you are searching for
$package = 'packageB';
// Get the file into an array
$data = file('myfile.txt');
// Loop the data
for ($i = 0, $found = FALSE; isset($data[$i]); $i++) {
if (trim($data[$i]) == "BUILD: $package") { // We found the one we're looking for
echo trim($data[++$i]); // Echo the next line
$found = TRUE;
break; // Stop looping
}
}
if ($found) {
echo "<br />\nI found the URL on line $i";
} else {
echo "I didn't find it!";
}
file() gets the file data as an array where each element is one line of the file, unlike a single string like file_get_contents() returns.
You can do a regex with the /m modifier which makes it match across multiple lines, then use a parenthesized pattern to capture the line following the match:
if (preg_match_all('/BUILD: packageB\n(.+)\n/m', file_get_contents('file.txt'), $match)) {
foreach ($match[1] as $match) {
echo "$match\n";
}
}
Outputs:
URL: www.package-b.com
If you are open to alternative methods, then here is a simpler/faster solution.
builds.php
<?php
$builds=array("packageA"=>"www.package-a.com",
"packageB"=>"www.package-b.com",
"packageC"=>"www.package-c.com",
"packageD"=>"www.package-d.com");
?>
OtherScript.php
<?php
if(isset($_POST['package'])){
include('./builds.php');
if(array_key_exists($_POST['package'], $builds)){
$notice="You Selected: ".$_POST['package']." Url:".$builds[$_POST['package']];
}else{
$notice="Package Not Found";
}
}
echo (isset($_POST['package']))?$notice:'';
?>
I would like to know if it's possible to execute the php code in a string. I mean if I have:
$string = If i say <?php echo 'lala';?> I wanna get "<?php echo 'dada'; ?>";
Does anybody knows how?
[EDIT] It looks like nobody understood. I wanna save a string like
$string = If i say <?php count(array('lala'));?>
in a database and then render it. I can do it using
function render_php($string){
ob_start();
eval('?>' . $string);
$string = ob_get_contents();
ob_end_clean();
return $string;
}
The problem is that I does not reconize php code into "" (quotes) like
I say "<?php echo 'dada'; ?>"
$string = ($test === TRUE) ? 'lala' : 'falala';
There are lots of ways to do what it looks like you're trying to do (if I'm reading what you wrote correctly). The above is a ternary. If the condition evaluates to true then $string will be set to 'lala' else set to 'falala'.
If you're literally asking what you wrote, then use the eval() function. It takes a passed string and executes it as if it were php code. Don't include the <?php ?> tags.
function dropAllTables() {
// drop all tables in db
}
$string = 'dropAllTables();';
eval($string); // will execute the dropAllTables() function
[edit]
You can use the following regular expression to find all the php code:
preg_match_all('/(<\?php )(.+?)( \?>)/', $string, $php_code, PREG_OFFSET_CAPTURE);
$php_code will be an array where $php_code[0] will return an array of all the matches with the code + <?php ?> tags. $php_code[2] will be an array with just the code to execute.
So,
$string = "array has <?php count(array('lala')); ?> 1 member <?php count(array('falala')); ?>";
preg_match_all('/(<\?php )(.+?)( \?>)/', $string, $php_code, PREG_OFFSET_CAPTURE);
echo $php_code[0][0][0]; // <?php count(array('lala')); ?>
echo $php_code[2][0][0]; // count(array('lala'));
This should be helpful for what you want to do.
Looks like you are trying to concatenate. Use the concatenation operator "."
$string = "if i say " . $lala . " I wanna get " . $dada;
or
$string = "if i say {$lala} I wanna get {$dada}.";
That is what I get since your string looks to be a php variable.
EDIT:
<?php ?> is used when you want to tell the PHP interpreter that the code in those brackets should be interpreted as PHP. When working within those PHP brackets you do not need to include them again. So as you would just do this:
// You create a string:
$myString = "This is my string.";
// You decide you want to add something to it.
$myString .= getMyNameFunction(); // not $myString .= <?php getMyNameFunction() ?>;
The string is created, then the results of getMyNameFunction() are appended to it. Now if you declared the $myString variable at the top of your page, and wanted to use it later you would do this:
<span id="myString"><?php echo $myString; ?></span>
This would tell the interpreter to add the contents of the $myString variable between the tags.
Use token_get_all() on the string, then look for a T_OPEN_TAG token, start copying from there, look for a T_CLOSE_TAG token and stop there. The string between the token next to T_OPEN_TAG and until the token right before T_CLOSE_TAG is your PHP code.
This is fast and cannot fail, since it uses PHP's tokenizer to parse the string. You will always find the bits of PHP code inside the string, even if the string contains comments or other strings which might contain ?> or any other related substrings that will confuse regular expressions or a hand-written, slow, pure PHP parser.
I would consider not storing your PHP code blocks in a database and evaluating them using eval. There is usually a better solution. Read about Design Pattern, OOP, Polymorphism.
You could use the eval() function.
I'm having trouble describing this issue, which is probably why I can't find the answer on google.. so I figured I would try getting help here. If I'm repeating this question, feel free to direct me to a link to the thread.
So basically the issue I'm having is I am trying to pass a variable to a function that contains some php code to be eval'd.
Here's the simplified version of the code:
function senduser($body) {
$query = mysql_query("SELECT * FROM User_tbl");
while ($row = mysql_fetch_array($query)) {
echo eval($body);
}
}
$body = 'Hello $row[\'user_first_name\'] <br>';
sendUser($body);
--
For some reason, the output isn't putting out what I want. I've gotten a few whitespace errors, and a few times I've gotten the code to output the plain text of the variable $body.
Any help is appreciated. Let me know if I need to clarify the issue further.
I would change it to this:
function sendUser($body) {
$query = mysql_query("SELECT * FROM User_tbl");
while ($row = mysql_fetch_array($query)) {
echo $body($row);
}
}
And then call it like this (php 5.3+):
$body = function ($row) {
return "Hello ".
htmlspecialchars($row['user_first_name'], ENT_QUOTES, 'UTF-8').
"<br />";
};
sendUser($body);
In php <= 5.2, it's a lot messier:
$body = create_function(
'$row',
'return "Hello ".'.
'htmlspecialchars($row["user_first_name"], ENT_QUOTES, "UTF-8").'.
'"<br />";'
);
sendUser($body);
That isn't now eval works; it returns null unless you explicitly return a value. You're also missing quotes around the string, and a semicolon at the end of the statement.
To get it to echo something, you'd have to pass the echo as part of the code to be evaluated:
$body = 'echo "Hello $row[\'user_first_name\'] <br>";';
or, to get your code working as written, you'd have to return the formatted string:
$body = 'return "Hello $row[\'user_first_name\'] <br>";';
This is a pretty contrived use of eval. You'd be far better off passing in a printf-style format string and using sprintf to substitute values into it, and returning that string for printing. As it stands you seem to be mixing your display logic with your database logic, which is a bad thing.
Your code, as is, will never work. Removing the mysql portion:
<?php
function senduser($body) {
$row['user_first_name'] = 'Fred';
echo eval($body);
}
$body = 'Hello $row[\'user_first_name\'] <br>';
sendUser($body);
Gives me:
PHP Parse error: syntax error, unexpected T_VARIABLE in /home/marc/z.php(5) : eval()'d code on line 1
Anything you pass in to eval() must be raw PHP code. It can't be plaintext with embedded <?php ?> PHP blocks - it has to be actual PHP code. When you fix up $body to account for this:
$body = 'echo "Hello {$row[\'user_first_name\']} <br>";';
Then you get:
Hello Fred <br>
I'm not exactly positive what you're trying to do, but I think your problem is in the definition of $body and your use of eval.
$body = 'Hello $row[\'user_first_name\'] <br>';
is not a valid line of php, and eval won't know what to do with it.
See if this fits what you want:
function senduser($body) {
$query = mysql_query("SELECT * FROM User_tbl");
while ($row = mysql_fetch_array($query)) {
eval($body);
}
}
$body = 'echo "Hello {$row[\'user_first_name\']} <br>";';
sendUser($body);