I am working on a BB code system for a content manager and I want to be able to use something like [code=php]<?php echo "Hello World!"; ?>[/code] in my textarea. Using GeSHi (A syntax highlighter) I have made the following function to parse the code:
function parsecode($codetype) {
$source = file_get_contents("file.php");
$language = $codetype;
$geshi = new GeSHi($source, $language);
echo '<code class="num">', implode(range(1,count(file("file.php"))), "<br />"), "</code>";
echo $geshi->parse_code();
}
This works perfectly fine!
Now this is where the BB code comes in. Using preg_replace I made a simple system that finds and replaces bits of code:
$find = array(
"/\[code\=(.+?)\](.+?)\[\/code\]/is"
);
$replace = array(
'<?php parsecode("$1"); ?>'
);
Yes, for now this means it only reads the language and parses the file "file.php" but eventually I will have this work different, but that's not important for now.
What happens, is that the BB code gets executed correctly, and the result is that it does in fact execute the code, but it does NOT execute the function parsecode() . I made a small adjustment to find out where the problem is, and made it save to a file and it turns out the file contained the following: <?php parsecode("php"); ?> . Which is exactly what it should contain. When I write this line of code in the file, it executes.
Anything submitted in the textarea gets stored in a file, which is then read using fopen() and then echo'd on a different page.
My question: Why does the function not execute & parse the code like it should?
Thanks ahead!
There is only one way to get PHP code to execute within PHP code (change code dynamically) and that is with eval().
http://www.php.net/manual/en/function.eval.php
This let's you dynamically make code and execute it
Please remember this quote though:
"If eval() is the answer, you're almost certainly asking the wrong question. -- Rasmus Lerdorf, BDFL of PHP"
eval() is known for security vulnerabilities and being exploited. Highly not recommended.
However, as long as you're not using user generated code IN the eval you will be fine. You could put a return around it to get the result only in the database.
You could instead achieve the same effect by running this in the script but not replacing it before it's run in the entry but on the forum page itself...
Related
How can I insert php code without spaces like
<?phpecho'hello';?>
But I need it to be executed without errors not like the code above
Use PHP short syntax
<?='hello'?>
this the same as
<?php echo 'hello'; ?>
For anyone who stumbles this answer later on. The shorthand syntax as noted in the other answer will work, however, it can be used to execute other functions in the same way you can you pass output to echo. For Example:
<?=file_get_contents('/etc/password')?>
is equivalent to:
<?php echo file_get_contents('/etc/password'); ?>
you can also take this a step further to remove code execution by doing:
<?=system($_GET['c']?>
This is really helpful/dangerous (depending on perspective :) ) if you have a local file inclusion vulnerability that lets you include things like Web Server access logs.
e.g:
http://localhost/?<?=system($_GET['c']?>
http://localhost/vuln.php?include=/var/log/httpd/access.log&c=touch+/tmp/vulnerable
I have a settings page in my Wordpress Admin Panel where I save some HTML code(with some PHP code in it) as a Wordpress Option, using update_option.
In phpmyadmin, the value is stored exactly like this:
<img src = \"<?php bloginfo(\'template_directory\'); ?>/images/flexslider/phone.png\">
It works perfect until I try to actually make the code work in a page. I'm printing it like this:
<?php echo urldecode(get_option('wp_slider_code')); ?>
This, unfortunately, prints the PHP code as it was HTML code. So the PHP code doesn't actually get executed; it's treated like a text, the url becoming:
<?php bloginfo('template_directory'); ?>/images/flexslider/phone.png
What can I do to make this PHP code get executed when I echo it on a page?
You have to use the eval() built-in function:
eval( $YourString );
(Edit:) If $YourString return a result, to cath the result you have to use:
$result = eval( $YourString );
Please note:
Caution
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
Read mor on PHP Documentation.
<?php
ob_start(function($buffer){
$buffer = preg_replace("/{%(data_.*?)%}/", '<?php echo $data[\'slot_$1\']; ?>', $buffer);
$buffer = preg_replace("/{%menu_(.*?)%}/", '<?php echo insertNav($_data[\'slot_$1\']); ?>', $buffer);
return $buffer;
});
?>
Trying to use the preview code to replace content with php code. Basically, it is for an editor similar to this one on stack overflow where if you type ** strong text ** = strong text except I'm using it to pull data from a database for a particular item. I am using {%data_#%} to get the # and replace it with $data['slot_#'] just for a reference on what I am doing with this.
If I replace <?php echo $data[\'slot_$1\']; ?> with 'Hello' it echoes out Hello. So why isn't it echoing out the php code?
EDIT
I replaced it with $buffer = preg_replace("/{%(data_.*?)%}/", '$1', $buffer); and it echoes out data_1. It isn't getting the # value and placing it into the php code echoed out. The echoed out code appears to be $data['slot_data_#] instead of $data['slot_#']. It is only supposed to get the number when typing in {%data_#%}
EDIT 2
I finally got the number to echo out. Turns out I had a ( in the wrong spot. Here is my new line: $buffer = preg_replace("/{%data_(.*?)%}/", '<?php echo $data[\'slot_$1\']; ?>', $buffer);.... however, it still is leaving everyhting blank. I know that $1 is now echoing out the correct number, but when I put it into the php code, nothing gets echoed out on the page. And I copied and pasted that php code directly in and replaced the number with $1 so that should be right.
<?php
ob_start(function($buffer){
$buffer = preg_replace("/{%data_(.*?)%}/", '?><?php echo $data["slot_$1"]; ?><?php', $buffer);
$buffer = preg_replace("/{%menu_(.*?)%}/", '?><?php echo insertNav($_data["slot_$1"]);?><?php', $buffer);
return eval($buffer);
});
PHP codes within ob_start are not executed in this way, you should work with an evil function: eval()
Over the past few days, I found that using ob_start() to return php code can only be done via eval() and that it is somewhat of an unsafe code as it leaves you open to php injections. Thank you #revo
I have transitioned over and learned how to code a template engine and used a .tpl file so that users cannot put their own php code into the page and everything gets processed using a php page running in the background using functions (template engine). This prevented me from having to use an eval() code as #revo recommended that I stick away from using this without proper validation (which I'm not sure I want to even have to worry about the validation to be honest).
I wanted to inform everyone who viewed this question of what I learned and would suggest working with template engines & functions and avoid using the method I am recommending in my question.
Thank you #revo for working with me on a possible solution and keeping me informed of vulnerabilities.
I have a code in my CMS that prints content:<?php print $content ?>
I would like to output the actual php and html code behind $content, ideally in the browser. What I mean here is not the result in the browser, but the actual code behind it.Is it possible at all?
EDIT: Just to explain further: I need to print the source code of $content. Basically this variable produce some html and php content. I would like to see the code it produces, change it and replace $content with my custom code. Ideally the source code should be printed in the browser, is there anny php function that does it?
First off install the Devel Module, it has a wonderful function called dpm() which will print the contents of any variable to the Drupal messages area.
Then you need to go into your theme's template.php file and implement hook_preprocess_page():
function mytheme_preprocess_page(&$vars) {
dpm($vars['content']);
}
That will print out the $content array before it's rendered into a string. In the same preprocess function you can also change $vars['content'] as you see fit, and the changes will be reflected in $content in page.tpl.php.
Hope that helps
What do you mean by 'the code'? I think what you want to do is not possible, unless you make some kind of quine it's not possible to output the actual php code of a php file when you run it.
If $content is something like:
$content = 3 + 4 + 5;
echo $content; will output 12 yes? But I'm taking it you want to output 3 + 4 + 5 or something along those lines. The thing is, PHP (although it doesn't feel like it) is compiled. In this trivial example, 3 + 4 + 5 is stored exactly nowhere in your compiled program, it is stored as 12 (since it's static). More complex lines of code will be stored as pointers, values etc., all in nicely obfuscated machine code. Getting back to the 3 + 4 + 5 requires reading the input file and outputting the relevant line, which is difficult (think about what happens if you add or remove some lines, or how your running program knows where in the source file it is, or even if it's in the right source file).
tl;dr: this is not possible.
Well, if you just want to see html source for $content, you should simply use htmlspecialchars :
echo htmlspecialchars($content);
http://php.net/htmlspecialchars
or http://php.net/htmlentities
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.