i have a little problem with eval.
here is my code:
$postbit = $template->output('posts_list_index'); // output string: $postslist it's ok
eval('echo $postbit;'); // output string: $postslist (?)
Thanks :)
I think in eval() function you can able to replace string with values. Please refer http://in3.php.net/eval.
and the solution for your's is:
eval("$postbit = ".$template->output('posts_list_index'."); ");
echo $postbit ;
try this one.. I am not sure about it.
Javadewd's Answer is correct. I prefer using double quotes instead of single quotes. PHP Manual states
Unlike the double-quoted and heredoc syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings.
Eval requires that you escape your $:
eval('echo \$postbit;');
Related
eval("\$data = $myvar('https://www.example.com/json/id='". $_GET['name'] ."'))';
This got me an error, how to concatenate it properly?
Eval is dangerous, but for your specific question above, the quotes were off at the end, and myvar is supposed to be a function. See below:
eval('$data = myvar("https://www.example.com/json/id='. $_GET['name'] .'");');
If you use double quotes like "$data" then $data will first be evaluated and the result or value will be eval'd instead. This is one of the risks of using eval(). If you use double quotes, then escape the $ signs like so:
eval("\$data = myvar('https://www.example.com/json/id=". $_GET['name'] ."');");
Demo: IDEOne
eval("\$data = $myvar('https://www.example.com/json/id=". $_GET['name']."');");
in C# you can declare a literal string that you don't expect to have any escaping in it like:
string myString = #"This\is\some\string\";
For PHP is there anyway to declare a string literal in this way without needing to escape every slash? I know someone out there will ask me "what have you tried?" so for the sake of completeness I will list what doesn't work:
$myString = "This\is\some\string\";
$myString = 'This\is\some\string\';
Use single quotes and you should be good (less single quotes of course). If you really don't want to have to escape anything try nowdoc.
EDIT: assuming PHP >=5.3 (thank you Sammitch)
as sequoia mcdowell pointed out heredocs/newdocs are the answer. like so:
$myString = <<<'EOT'
This\is\some\string\
EOT;
i can't understand why variables are not working here. Here is the code:
include_once('../simple_html_dom.php');
$url = htmlentities($_GET['q']);
$urlall = str_replace(" ", "+", $url);
$html = file_get_html('http://www.example.com/some?key=$urlall&hl=en');
echo $html->plaintext;
if you look at this code you will found $urlall variable which i have applied in the web address, but this variable can't extract its data. As a new PHP programmer can't understand what to do now to make it works.. Here i have used HTML DOM PARSER..Thanks
Strings inside single quotes are literal, so $urlall is just a string, it won't be replaced with accual variable value. What you want to do is to use double quotes:
$html = file_get_html("http://www.example.com/some?key=$urlall&hl=en");
For futher explanation refer to PHP Strings:
Note: Unlike the double-quoted and heredoc syntaxes, variables and
escape sequences for special characters will not be expanded when they
occur in single quoted strings.
PHP Variables are not parsed and replaced in single quotes.
Try
$html = file_get_html("http://www.example.com/some?key=$urlall&hl=en");
Try to replace single quotes with double:
"http://www.example.com/some?key=$urlall&hl=en"
or use string concatenation instead of direct variable input into string:
'http://www.example.com/some?key='.$urlall.'&hl=en'
Second variant is more preferable.
I hope this helps you
I'm trying to use str_replace to correct a filepath as shown below:
$a="F:\xampp\htdocs\yii\get_smart\Music\mix\English\1636464449";
$a=str_replace('\\','/', $a);
echo $a;
returns:
F:
mpp/htdocs/yii/get_smart/Music/mix/Englishs6464449
Can someone please tell me what I'm doing wrong?
My PHP version is 5.3.8
Use single quote for define $a
$a='F:\xampp\htdocs\yii\get_smart\Music\mix\English\1636464449';
the problem is not str_replace but the string defined within double quotes. The backslashes escape the x and other character after it.
This is happening because your string is in double quotes, so the \x is being parsed as a character.
Actually, it's trying to read \xam as a character. Docs: http://php.net/manual/en/regexp.reference.escape.php
Put your string in single quotes (or escape the slash before the x).
Your problem is that the first string has some escaped sequences. For example \xam has a meaning in php. It looks like \16 might also mean something. You should echo $a before you do the str_replace and see what you get.
I am trying to test some of these code here http://ha.ckers.org/xss.html on my code. To do so I need to set the codes on that page into a PHP variable, I am having trouble though.
For example this code below is incorrect just for setting it to a variable because of the "code" and 'code' the '" is what I am talking about. How can I set code from that page or below into a PHP variable for testing?
$string = '<IMG SRC=\"javascript:alert('XSS');\"><b>hello</b> hiii';
You need to escape the quotes you used to declare the string with. So in your case the single quotes:
'<IMG SRC="javascript:alert(\'XSS\');"><b>hello</b> hiii'
Otherwise the string would be aborted with that unescaped quote.
Another way, maybe a bit easier (you don't have to escape the quotes, nor double-quotes) would be to use Heredoc syntax :
$string = <<<STR_1
<IMG SRC="javascript:alert('XSS');"><b>hello</b> hiii
STR_1;
Note you'll still have to escape the $ sign, if you have some, to not have varible interpolation.
Quoting the manual :
Heredoc text behaves just like a
double-quoted string, without the
double quotes. This means that quotes
in a heredoc do not need to be
escaped, but the escape codes listed
above can still be used. Variables are
expanded, but the same care must be
taken when expressing complex
variables inside a heredoc as with
strings.
Note : read the manual about that : there are some things you must know before using heredoc syntax (like the fact that the closing identifier must be alone on its line)