Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Suppose we have the following PHP scripts
if(isset($_GET['adr'])) {
$adr = $_GET['adr'];
include $adr.".txt";
}
I want to load a non text file, For this purpose I use mysite.com/?adr=g:/file.asd%00 URL, in the other side we all know all strings in PHP must terminated by NULL byte (i.e. %00). But when I request this URL the Apache server tells me:
Warning: include(): Failed opening 'g:/file.asd' for inclusion (include_path='.;C:\php\pear') in G:\Program Files\EasyPHP-12.1\www\index.php on line 16
Can anyone please tell me why this does not work?
Thanks
Leaving aside the massive security implications of includeing a file based on user input without validation, here's what I'd do:
if( strpos($adr,".") === false) $adr .= ".txt";
Basically, this appends .txt only if there is not already a file extension (or at least, something that looks like it might be a file extension)
I don't know anything about using NULL byte in urls.
When creating URL and passing parameter you should use urlencode function as below:
$x = 'ysite.com/?adr='.urlencode('g:/file.asd');
and you should make sure that file g:/file.asd.txt exists
Extra question - are you sure you have your file saved? In warning there is Failed opening 'g:/file.asd' for inclusion and in your code you include g:/file.asd.txt file.
Of course you can do this only on your localhost. IF you do it on live server, simple don't because anyone can quick reveal all filesystem data and do anything they want.
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 years ago.
Improve this question
I'm PHP developer but i cant understand this error
$uid = $this->db->Tables("telegrambots")->search([
"telegrambotid" => $this->botKey
])['uniqueId'];
if (!file_exists("TelegramBotCommands/{$uid}"))
mkdir("TelegramBotCommands/{$uid}");
Eval is evil, you probably don't need it so don't use it. You want to make a call to a class with a dynamic name? Use this:
$dynamic_class_name = 'Video';
$video = new $dynamic_class_name();
That being said, your snippet with eval seems to work perfectly fine:
http://sandbox.onlinephpfunctions.com/code/e3bb43b1ccfd27365247120e9c5751aac9e2b4ce
You would have to check your logs as to what the error is.
EDIT:
As you said you are using namespaces, try to use the full classname including the namespace in the eval function (like new \namespace\Videos(.... Even better though: don't use eval!
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I am trying to use the file_put_contents() to create user specific pages. When a user first enters their account, I want the site to create a page that is accessible only by the user at mydomain.com/users/username.php. If they are not the user, then I am trying to redirect them to their own account page (because the users/username.html contains sensitive info). As such, I use this code in the username.html:
<?php
$actual_link='http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$net = $actual_link['filename'];
if($_SESSION['username']==$net){
echo 'Verified';
}
else{
header('Location:mydomain.com/user/welcome.php');
}
?>
This, hypothetically, would keep unauthorized users off of the page. To create the page for each user (and keep it scalable), I used
file_put_contents($urlphp,$phpstuff)
(I decided not use FILE_APPEND because the file shouldn't exist). $urlphp is the username ($_SESSION['username']) combined with .php, and $phpstuff is all of teh that I put above. This is where I think I went wrong. I typed:
$phpstuff = "<?php
$actual_link='http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$net = $actual_link['filename'];
if($_SESSION['username']==$net){
echo 'Verified';
}
else{
header('Location:mydomain.com/user/welcome.php');
}
?>"
However, this code produced:
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in path/to/users/welcome.php on line 35
Line 35 is:
$actual_link='http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
However, (and keep in mind here, I'm relatively new to PHP/MySQL, so I'm going off of what I know and what PHP.net and W3Schools tell me) I couldn't find any whitespace in line 35. So I assumed that you can't have a multi-line variable (which wouldn't be detrimental to the code. I think....), so I tried making it all one line, which produced the exact same error, but moved the problematic line up one.
What I can't figure out is if it's a problem with my use of file_put_contents() or my use of the variable $phpstuff. If there is anything that I missed, please point it out, I am almost positive it is something that I'm overlooking. I am at a loss as to what to do/try. All help is appreciated. Thanks!
Don't do it this way.
Instead of generating PHP dynamically and creating a file for each separate user (which is wrong in so many ways), have one file that handles all users, and then pass the username / userid as a parameter to the script.
You could use .htaccess to route all requests for /users/.php to, /users/index.php?user=.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am trying to pass an action parameter and a variable parameter in the same header function.
Here is the code that I have written so far:
header('Location: .?action=show_edit_form, word=$word');
When I use the action parameter alone, it goes to the next page, but when I try to pass a variable along with the action parameter, it does not work.
Please advise.
Query string parameters in URLs are separated by & not by ,
PHP doesn't interpolate variables inside strings quoted with ', you need "
Although most browsers will silently error correct, the Location header requires an absolute URI
Thus:
header("Location: http://example.com/foo.php?action=show_edit_form&word=$word");
Unless you are certain your variable won't have special characters in it, you should make sure it is properly encoded for putting in a URL too.
header("Location: http://example.com/foo.php?action=show_edit_form&word=" . urlencode($word));
What you are doing with the header is just referring the user to another page that conforms to a normal url.
Header('Location: .?action=show_edit_form&
word='.$word);
On that page you can call $_GET['word']. You may also want to urlencode your values to prevent any unforseen problems with invalid characters. Look carefully at you quotation marks inside the header function.
For Example,
Here i am trying to send the parameter id & message for the purpose of deleting record,So you
use the following code,
$Params="?action=delete&id=".$id."&mess=Deleted Sucessfully";
header("Location:company.php".$Params);
So , in the next page you will get the parameter variable as,
$action=$_GET['action'];
$id=$_GET['id'];
$message=$_GET['mess'];
Above is the format of passing multiple parameters.Hope it works...
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I have this line of PHP code here
<?php
file_put_contents('query.txt', parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY));
?>
Whenever
phpfile.php?blablabla
is queried it writes a query.txt with the parameter in it, in this case, blablabla.
BUT, when I do this, it deletes the past query.txt file and writes a totally new one.
I want the queries to be ADDED into the .txt file. So there can be as many queries and possible and every single value entered will be lined up in the .txt file..
For example
I want it so phpfile.php?test is visited, query.txt looks like this
test
after that, phpfile.php?test2 is visited
now query.txt looks like this
test
test2
and this goes on forever.
How do I do this?
p.s.: sorry, I'm totally a Java type. I'm an absolute beginner to PHP.
You wish to append to the file, so you should use something along the lines of
$handle = fopen("myfile.txt", "a");
fwrite ($handle, parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY));
fclose($handle);
You can find all the other read/write file open flags at the docs.
http://php.net/manual/en/function.fopen.php
It appears you can also just pass a flag with your existing code, as that will abstract the file handle open/close from you;
file_put_contents('query.txt', parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY), FILE_APPEND);
Add FILE_APPEND as 3rd argument to file_put_contents(). Example (.PHP_EOL to add new line):
$data = parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY).PHP_EOL;
file_put_contents('query.txt', $data, FILE_APPEND);
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
i writing a PHP script that call a file in the server
by using :
<?php
$ret=system("command");
?>
the problem is when the file need some parameters
i can't find a way of doing that
because when using
<?php
$ret=system("command");
?>
the PHP skips that part of asking for variables
and assign to id a random one
and i can't pass theme at the start like
$ret = system("command argument1 argument2 argument3...");
beause the nmber of parametres depend on the user
i mean he keep entring data to a dynamic array entill he enter"end"
$ret = system("command argument1 argument2 argument3...");
Just load the arguments on, just like you were calling the program from a command line.
$cmd = "cmd param1 param2";
system($cmd,$return_value);
($return_value == 0) or die("returned an error: $cmd");
If what you mean is that you have an array that can have any number of parameters use this:
$commandParameters = implode(" ",$dynamicArray);
$ret = system("command ".escapeshellarg($commandParameters));
Get the parameters from the user via. HTML form and then, when you know what (and how many) the parameters are - you can use "system()" like everyone suggested!