PHP part:
$php = $_POST['php'];
//$php = "print \"hello world\";";
if ($php != null){
if (strlen($php) < 400){
echo $php;
eval($php);
//eval("print \"hello world\";");
}else die ("Evaluated Expression Exceeds Maximum Length");
}
LSL part:
string php = "print \"hello world\";";
Now I added the commented out bits into PHP to show that it works. And then when the LSL script sends to PHP it returns:
print \"hello world\"; -- this line is from, 'echo $php;'
<b>Parse error</b>: syntax error, unexpected '"', expecting identifier
(T_STRING) in <b>xxxxxx.php(141) : eval()'d code</b> on line <b>1</b><br />
-- this is the error.
And it is something to do with the the way the two scripts are sending data. I thought maybe had something to do with $php = $_POST['php']; so changed it to $php = $_POST[php]; With no change to the result. I then tried changing print \"hello world\"; to print 'hello world'; It then just returns the error : T_ENCAPSED_AND_WHITESPACE.
I did not supply the full source here. Only the section that was having an issue. It is supplied in a example state. The output is the same as the actual error result, that is being seen in the source. Usage of eval is required for the lsl script and php. In that the code is dynamically being reconfigured by both and sent to one another. Essentially giving the two the ability to code into one another. This is for a game in Second Life.
So if anyone knows of an actual way to pass the required data to and from the scripts. I could use some advice. Or a smack in the head if I missed something simple.
With the kind poke from mario on turning off magic_quotes. I then found what the data was doing in the source. I then ended up researching and using the following : eval(stripslashes($php)); Which completely solves the issue. And based on marios poke.
It had nothing to do with escape data. Didn't think so as echo reported that fine. And it was indeed a slap me in the head error too.
stripslashes — Un-quotes a quoted string
Will vote this as best answer and also a best answer for mario. Wish he would have done his as a answer over comment. So could have voted it.
Related
UPDATE !!!
It seems that the website I used to test my code has issues and therefore I had problem with executing my thing. I still leave this post up, so someone else, with similar problem can learn something.
website to avoid: http://phptester.net
ORIGINAL POST !!!
I want to add a string to my variable that uses a double qouted word. Is that possible? I only get error.
FATAL ERROR syntax error, unexpected 'Old' (T_STRING) on line number 4
Here is the code:
<?php
$var = "name: ";
$biography = "\n I'm Robert and I came from \"Old\" Europe.";
echo $biography;
?>
I was checking it on this website:
http://phptester.net
It must be smg to do with the new line character in the beginning, or perhaps its not even possible to add double qouted words to a variable. I am not sure.
Your help is greatly appreciated !
I know this is probably old-hat for many of the good folks on this forum, but after a few hours of hunting here for a solution I'm still having trouble.
I have confirmed that I can get a simple call to file_get_contents() to work:
$content = file_get_contents('example.com');
print $content;
(Outputs the contents of the site, as expected.)
And, if I plug one of the URLs generated by my script into the browser directly, that works too:
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=/netahtml/PTO/search-adv.htm&r=0&p=1&f=S&l=50&Query=AN/"allied signal" AND ((((((((CCL/29/$ OR CCL/62/$) OR CCL/165/$) OR CCL/180/$) OR CCL/236/$) OR CCL/237/$) OR CCL/241/$) OR CCL/248/$) OR CCL/417/$)&d=PTXT
(In actuality, that is generated/stored as a literal string named $url in my code. Though, I'm noticing as I type this that the quotes are throwing off something here. Not sure if that translates to my problem or not.)
But, when I try to combine the two it fails immediately:
$content = file_get_contents($url);
print $content;
(Outputs nothing.)
I've tried every suggestion I've seen so far involving various uses of cURL instead, and of course json to try to get some clue what is happening. But, other than the one case where I got HTTP 400 to spit out, and another where the output was NULL (sorry, I lost the links to the specific posts I'd been reading), no luck there.
I'm sure its something ludicrously simple that I'm missing here, that I'll probably ::head desk:: when I find it, but right now I'm stuck. Any suggestions?
Thanks In Advance
EDIT: I forgot to include, nothing in the error log either.
EDIT: allow_url_fopen is set correctly.
EDIT: Use of urlencode($url) does produce the following error, when the example above is called...
[29-May-2014 02:08:57 America/New_York] PHP Warning: file_get_contents(http%3A%2F%2Fpatft.uspto.gov%2Fnetacgi%2Fnph-Parser%3FSect1%3DPTO2%26Sect2%3DHITOFF%26u%3D%2Fnetahtml%2FPTO%2Fsearch-adv.htm%26r%3D0%26p%3D1%26f%3DS%26l%3D50%26Query%3DAN%2F%22allied+signal%22%0D%0A+AND+%28%28%28%28%28%28%28%28CCL%2F29%2F%24+OR+CCL%2F62%2F%24%29+OR+CCL%2F165%2F%24%29+OR+CCL%2F180%2F%24%29+OR+CCL%2F236%2F%24%29+OR+CCL%2F237%2F%24%29+OR+CCL%2F241%2F%24%29+OR+CCL%2F248%2F%24%29+OR+CCL%2F417%2F%24%29%26d%3DPTXT): failed to open stream: Invalid argument in C:\inetpub\wwwroot\PHP-CGI\test.php on line 21
EDIT: Some test code...
<?php
print "Testing...<BR>";
define("PATFT_head",'http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.htm&r=0&p=1&f=S&l=50&Query=AN%2F%22');
define("PATFT_foot",'%22+AND+%28%28%28%28%28%28%28%28CCL%2F29%2F%24+OR+CCL%2F62%2F%24%29+OR+CCL%2F165%2F%24%29+OR+CCL%2F180%2F%24%29+OR+CCL%2F236%2F%24%29+OR+CCL%2F237%2F%24%29+OR+CCL%2F241%2F%24%29+OR+CCL%2F248%2F%24%29+OR+CCL%2F417%2F%24%29&d=PTXT');
$assignees = file("./config/assignees.txt");
foreach ($assignees as $name) {
$url= PATFT_head.$name.PATFT_foot;
$content = file_get_contents($url);
#print "Should see the page here...<BR>";
print $content;
}
print "<BR>Done.";
?>
Contents of assignees.txt is a series of search terms (in this case the Assignee Name of a patent holder), 1 per line.
Try urlencode :
$content = file_get_content(urlencode($url));
print $content;
There is a setting for allow_url_fopen in the PHP INI. Make sure you set this to true or 1.
I've got PHP and HTML code stored in a database table. When I get this data, I need to echo the HTML and process the PHP. I thought I could use eval() for this, which works, if I do this eval("echo 'dlsj'; ?> EVALED "); I get "dlsjEVALED" printed out.
The problem is, I get a fatal error when I run longer scripts. Things like:
Parse error: syntax error, unexpected '<' in /home/content.php(18) : eval()'d code on line 1
Best advice - never store php and html code in your database. And avoid eval() like the plague.
I can't really tell what's wrong with your code, as you haven't provided enough information. But even if I did have some advice, I don't think I could give it in good conscience.
You should redesign your whole application so that it doesn't require storing such things in the database. I can't imagine why it would be necessary.
just right der...........
eval('?>' . $content .'<?php');
You need to re-open php mode after the EVALED. Apparently you have to do this with <? rather than the full <?php.
As a rule eval is to be avoided. But rules are made to be broken. There's a thread at When is eval evil in php? that gives some less dogmatic advice.
Depending on what you want to do, it might be suitable to use a template file that you source, with text that will vary stored in a local variable prior to sourcing the template.
As for storing code to be executed in the DB... this does happen in some frameworks like Drupal to provide convenient extensibility, but then Drupal is pretty thoroughly scoured for security weaknesses.
Also if you're writing self-modifying code then you need to use eval(). Not sure if anyone has done that in php but it would certainly be interesting.
I would guess that you're trying to eval() something that contains an opening <?php tag. And that leads to the error at hand.
$contents = htmlentities($contents);
echo html_entity_decode(eval($contents));
What am I doing wrong here?
$array = array('sky'=>'blue', 'grass'=>'green', 'sun'=>'yellow');
$key = array_search('green', $array);
echo $key;
error: Parse error: syntax error, unexpected T_DOUBLE_ARROW in /Applications/XAMPP/xamppfiles/htdocs/search-array.php on line 2
$array = array('sky'=>'blue', 'grass'=>'green', 'sun'=>'yellow');
$key = array_search('green', $array);
echo $key;
The source you posted works perfectly and returns 'grass'. Are you sure it is not another snippet in your application?
You may want to try finding if you closed the array right and if you have commas where they are needed. If that doesn't resolve it for perfectly functional syntax:
error_reporting(E_ALL^E_NOTICE);
Long shot, but worth a mention, I feel:
I've had the experience that sometimes, some FTP programs error out silently if they don't manage to transfer the whole file. If you're experiencing the error on a webserver and you pasted us the local code (and only then), that might be what's causing your problem; e.g. if your remote file looks like this due to an incomplete transfer:
$array = array('sky'=>'blue', 'grass'=>'green', 'sun'=>
I've gotten some odd errors over time that I couldn't explain that then boiled down to an incomplete transferred file.
I'd recommend that whenever you encounter a parse error you can't find, try re-uploading the file. If it still occurs, chances are you overlooked something.
(Needless to say that if this does happen to you, you should probably look into a better FTP client. :) Mind, I don't take this advice, I like mine too much, this is its only shortfall.)
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.