You have a string, which contains a snippet of PHP code:
$run_me = "echo ('Hello World!!');";
How can you get PHP to run the code, contained in $run_me?
You can't do:
include ($run_me);
That would include the path $run_me, so what's the solution?
One way is to use eval(). This will execute the string you enter as PHP code.
Related
What happens when the first line is executed? Is the code being executed? Because nothing appears in the browser..
<?php echo htmlspecialchars_decode("<?php file_put_contents("./tete.php","der inhalt"); ?>"); ?>
(I did htmlspecialchar on String: "<?php file_put_contents("./tete.php","content"); ?>" before and then want to decode it and it shouldn't be executed and if possible displayed in browser.)
I am wondering because nothing appears in the browser and there is a echo.. But i don't think the code is being executed because otherwise their should be a new tete.php file now in the directory.. so what happens?
Look at the raw source code that is being output to the browser, it contains <?php file_put_contents("./tete.php","content"); ?>, which is being interpreted as an HTML tag and hence doesn't show up. And no, it's not being evaluated as PHP code. That would require that all strings are checked whether they're runnable PHP code and then get evaluated. And if the result of that is another string which is runnable PHP code? Infinite recursive PHP execution…? That's not how it works.
I'm trying to set up an html form that passes variables to a php script, that then passes them to a bash script.
I'm able to successfully pass variables from the html form to the php script, and I'm able to make the following pass variables to my bash script:
<?php
shell_exec('./bashscript.sh testarg1 testarg2 testarg3 testarg4');
?>
But, when I use the following:
<?php
shell_exec('./bashscript.sh $_POST[arg1] $_POST[arg2] $_POST[arg3] $_POST[arg4]');
?>
I end up with:
[arg1]
[arg2]
[arg3]
[arg4]
This is the first time I've tried passing from php to bash. The bracketed arguments post to a db with no prob. How would I change this to successfully pass the arguments to my bash script? thx.
Variables are expanded inside double-quoted string, not inside single-quoted strings.
shell_exec("./bashscript.sh $_POST[arg1] $_POST[arg2] $_POST[arg3] $_POST[arg4]");
This is basic PHP syntax, having nothing to do with using the shell.
You should also use escape_shell_arg to escape each argument before substituting it, in case it contains shell metacharacters.
Let's say I have a file "English.txt" containing these lines :
$_LANG["accountinfo"] = "Account Information";
$_LANG["accountstats"] = "Account Statistics";
Note : the file extension is .txt and there is nothing I can do to change that. There is no opening PHP tag (<?php) or anything, just those lines, period.
I need to extract and actually get the $_LANG array declared from these lines. How do I do that? Simply includeing the file echoes every line, so I do
ob_start();
include '/path/to/English.txt';
$str = ob_get_clean();
Now, if I call eval on that string, I get an syntax error, unexpected $end. Any ideas?
Thanks.
eval(file_get_contents('English.txt'));
however, be sure NOBODY can change English.txt, it could be dangerous!
First of all, note that you should use file_get_contents instead of include with output buffering. Since it contains no <?php tag, there is no need to run it through the script processor.
The following works perfectly in my tests:
<?php
$contents = file_get_contents("English.txt");
eval($contents);
var_dump($_LANG);
As one of the comments said, if you do the above and still get an error, then your file does NOT contain exactly/only those lines. Make sure the file is actually syntax compliant.
As has been mentioned, you should really use eval only as a last resort, and only if the file is as safe to execute as any code you write. In other words, it must not be editable by the outside world.
Very simply, i want to make a variable reads the html code as string ,, i mean dont execute it (run it) .
the problem with the code is : i have a html file , and i want to get the content of it , and make some preg_replace for it (run a function on the html code), the problem is i cant use preg_replace, or any another function because the html code is executed by php (php reads the html code)..
i wish you understand me, i want something like highlight_string, but it save the html code in the variable.
Thank you.
you're probably trying to include or require the HTML code.
which is incorrect since it is evaluated as part of the source.
instead, use a function such as file_get_contents() to read the file into a string.
Use file_get_contents() as #David Chan suggested and then pass the result through htmlentities()... it converts the characters to HTML entities (i.e., < to <).
$getTheContent = file_get_contents($filepath);
echo htmlentities($getTheContent);
It should return the code, not executed.
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.