This is a very weird error. I am dealing with a script that uses variable $s as on object. This script has been running for a long time.
Randomly, on the page it suddenly said:
Trying to get property of non-object...
Confused, I put var_dump($s) on several places throughout the script, including the VERY TOP (before any includes or anything).
The output: string(32) "8251ca989c1e9aec382f07f6e047e5f3"
Even more confused, I put the var_dump($s) in another script to test it. Once again, it showed the same 32 character string.
What is happening here? Is this a hack of some kind?
EDIT:
I made a new script and this is LITERALLY the entire code:
<?php
var_dump($s);
?>
When I visit in a browser it says: string(32) "8251ca989c1e9aec382f07f6e047e5f3"
register_globals might be turned on, and the data might be coming from a cookie of the same name. You should disable it if you can for security reasons.
Related
Following is the code I come to notice from a PHP file:
<?php
# Should log to the same directory as this file
$log = KLogger::instance(dirname(__FILE__), KLogger::DEBUG);
$args1 = array('a' => array('b' => 'c'), 'd');
$args2 = NULL;
$log->logInfo('Info Test');
$log->logNotice('Notice Test');
$log->logWarn('Warn Test');
$log->logError('Error Test');
$log->logFatal('Fatal Test');
$log->logAlert('Alert Test');
$log->logCrit('Crit test');
$log->logEmerg('Emerg Test');
$log->logInfo('Testing passing an array or object', $args1);
$log->logWarn('Testing passing a NULL value', $args2);
You can notice that the closing PHP tag(?>) is not present there but still all the statements within code are working perfect. I'm not getting how this could be possible to execute the code without completion of PHP tag(?>). I researched but didn't get any satisfatory explanation. Can anyone guide me in this regard? Thanks in advance.
The closing tag exists to tell the interpretter that it should stop executing the text and just output it verbatim. Unlike XML, which requires openning and closing tags to match to be valid, the PHP interpretter simply uses the tags to delimit where execution should start and stop.
Just like a PHP file could have no opening tag - meaining that the entire contents would be output, no closing tag is necessary as once the end-of-file is reached execution ends.
While I can't remember any other reason, sending headers earlier than the normal course may have far reaching consequences. Below are just a few of them that happened to come to my mind at the moment:
While current PHP releases may have output buffering on, the actual production servers you will be deploying your code on are far more important than any development or testing machines. And they do not always tend to follow latest PHP trends immediately.
By sending headers inadvertently, you might have introduced a security vulnerability: say, you are doing a redirection, but hence the headers are already sent, the redirection does not work and the rest of the page might be output, thus the visitor may see what she was not supposed to see. While this can be mitigated by using exit, you know the story, only if every one of us utilize good programming habits every time.
Even if letting the visitor stay in the wrong page does not have a security implication, by breaking a session behavior, or in some other ways I've encountered over years, the security and/or session cycle might have taken some sort of blow in the end.
If not security, you may have headaches over inexplicable functionality loss. Say, you are implementing some kind payment gateway, and redirect user to a specific URL after successful confirmation by the payment processor. If some kind of PHP error, even a warning, or an excess line ending happens, the payment may remain unprocessed and the user may still seem unbilled. This is also one of the reasons why needless redirection is evil and if redirection is to be used, it must be used with caution.
You may get "Page loading canceled" type of errors in Internet Explorer, even in the most recent versions. This is because an AJAX response/json include contains something that it shouldn't contain, because of the excess line endings in some PHP files, just as I've encountered a few days ago.
If you have some file downloads in your app, they can break too, because of this. And you may not notice it, even after years, since the specific breaking habit of a download depends on the server, the browser, the type and content of the file (and possibly some other factors I don't want to bore you with).
Bonus: a few gotchas (actually currently one) related to these 2 characters:
Even some well-known libraries may contain excess line endings after ?>. An example is Smarty, even the most recent versions of both 2.* and 3.* branch have this. So, as always, watch for third party code. Bonus in bonus: A regex for deleting needless PHP endings: replace (\s*\?>\s*)$ with empty text in all files that contain PHP code.
From the PHP Manual:
The closing tag of a PHP block at the end of a file is optional, and in some cases omitting it is helpful when using include or require, so unwanted whitespace will not occur at the end of files, and you will still be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at the end of the parts generated by the included files.
My backup content (should the database fail) is brought in with include(). For some reason, there's a mysterious lone '1' below the div the include is wrapped in. It does it every time, but just on the content include. I've checked the function, all pages involved, no stray 1. If it loads from the database, everything's fine.
Any ideas why?
(empty($Content)?(empty($dbContent)?include($URL):$dbContent):$Content);
That's the core of the function. No code to provide really, just a strange 1.
Apparently it was the nested ternaries causing the issue. It outputs a 1 right after the function, as if it were saying echo include()
Very odd, because the rest of the functions seem to be working fine. The only difference is the include().
I'll switch back to longhand if any more odd behavior appears. It would be nice to know why it was treating it like it had echo in front of it.
I have a problem with this code sample, the result is a blank page. I checked mcrypt_ecb function in php, and is available. Then why I got only empty result?
$suma='9990';
$idobj='38';
$cislooz='TEST';
$input=$suma.$idobj.$cislooz;
$key='KEY';
$encrypted_text = mcrypt_ecb(MCRYPT_3DES, $key, substr(sha1($input),0,8), MCRYPT_ENCRYPT,substr(sha1($input),0,8));
echo "<b>INPUT: </b>".$input."<br>";
echo "<b>KEY: </b>".$key."<br>";
echo "<b>Hash sha1: </b>".substr(sha1($input),0,8)."<br>";
echo "<b>Hash to 3DES/ECB/NoPadding:</b> ".( $encrypted_text )."<br>";
echo "<b>to HEX:</b> ".StrToUpper(bin2hex($encrypted_text))."<hr>";
?>
You are probably experiencing a problem somewhere. I tested it on PHP 5.3.0 and it output:
INPUT: 999038TEST
KEY: KEY
Hash sha1: c063a3be
Hash to 3DES/ECB/NoPadding: K\Aj¥íµÉ
to HEX: 4B5C416AA5EDB5C9
You may have a PHP error triggered but the only way to know that is to set:
error_reporting(E_ALL);
ini_set('display_errors',1);
At the top of your script so that you'll be able to see what the error is.
Another explain is that you started an output buffer with ob_start() and you might be managing it wrong.
Or you could have an exit; or die(); somewhere.
As you can see there might be a lot of "because" for your question.
Edit:
Finally, at last we discovered the real problem. The spaces in his code where converted to the wrong invisible character; that's because it was copied from a PDF.
Here you can see: the first lines works fine and the space correspond to . in the script. The other symbol instead (of the commented green lines) was causing the problem.
I'm trying to get some PHP example code to work on PHP version 5.3.4, Apache 2.2.17 on Windows.
The example says I need PHP 4.0 and above with CURL and contains:
<?
$function = $_GET['function-if-exist'];
$test = "Test";
?>
<? =$test ?>
I don't understand why I'm getting the following errors:
My PHP doesn't understand <? and wants <?PHP instead.
My PHP doesn't like <? =$test ?> and wants something like
<?PHP echo $test ?>
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
Can anyone help me understand why their code is not working for me?
1) <? is the "short tag". Most servers are configured to not allow short tags. This can be changed in php.ini.
2) Again, short tags. Also I think you can't have a space before the =, but the main problem is the short tags setting.
3) $_GET accesses the query string, so when loading your script you need myscript.php?function-if-exist=something
It is more ideal to check if the parameter is set before continuing to prevent errors being thrown, e.g.
if(isset($_GET['function-if-exist']))
{
$functionexists = $_GET['function-if-exist'];
}
the short tag notation is disabled in your php.ini
you need to remove the space before your equal sign
your _get array contains not the expected index, what url do you enter to access the page?
I don't understand why I'm getting the following errors:
My PHP doesn't understand
To be able to use short tags you will have to enable them via config ... http://www.tomjepson.co.uk/tutorials/35/enabling-short-tags-in-php.html
My PHP doesn't like and wants something like
Once you switch on the short tags you will be able to echo using ... important the equals signs must be touching the ? not variable.
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
The $_GET is populated according to what is in the url. To get a value in $_GET['function-if-exist'] the url accessing the script should be something like mydemo.php?function-if-exist=hello
Hope this helps you
Quick answers to 1 and 2 are enable the short_open_tag option into the php.ini file, for the last one is set the error_reporting to a less strict mode.
The reasons of not to adopt such measures are:
the short tag clashes with the xml declaration and is disabled on different host, if you need to manipulate xml or if you need to write portable code is better to resort to the long tag syntax. You lose the ability to echoing data with = but it is a small annoyance to me.
Warning and notices, as php forgive a lot the programmer for missing variables declaration are a blessing for debug. Keep then raised and you will address a lot of mispellings.
Are you sure that function-if-exist is a correct index for your hash? I would check the index first the access them. If the index don't exists is a probable hint that something is going wrong with your code and you should check the reason of the missing.
Better to stop now, as anyone can write a book on this topic, and several ones already done ;)
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.