I'have just started to learn PHP, I'm using a free host to test my code but nothing happens and also my php code passed in source of page, does it show that server don't interpret it?
Yes, that shows that the server isn't interpreting it properly. The user should never receive PHP code, just the html/javascript/whatever that your PHP script outputs.
As for why this is happening, here are a few basic things to check:
Your PHP code should begin with the <?php tag and end with the ?> tag (the ending tag isn't strictly necessary, but any code you put after it won't be interpreted).
The document's name should end with .php (not always necessary, but some server setups may require it).
If you haven't checked already, make sure that the host you're using supports PHP in the first place.
Is php code passed in source to the client?
No.
Your PHP interpreter isn't being invoked.
Related
I know this has been asked tons of times here and all over the internet however solutions I found are not working and this has been driving me crazy for several months now.
I have a very simple PHP page:
<?php session_start(); ?>
I'm getting the nightmare errors headers already sent and cache limiter in my error_log. Although it doesn't affect the function of any of the scripts but it's filling the error_log so much. There is no error when running from browser.
I have tried the TextWrangler editor for Mac and choosing Unicode UTF-16 with no BOM option when saving. However, after creating the file using Textwrangler, making sure that the extension is PHP, and uploading the file to server. I tried running the file directly and I got the following in browser:
<�?php session_start(); ?>
So the file is not encoded properly. I don't know why. With regular encoding of UTF-8 from either TextEdit or TextWrangler, the header error would appear in cron job as stated before.
I write all the text myself without copying so that no BOM characters in the file. Is there any REAL solution for this error? Should I use an ANSI editor? Isn't the save as utf-16 with no bom option used to avoid this errors? Or this errors must appear if there is session in cron?
Lastly I use the following cron job in cpanel: php -q /path/to/file.php
Calling your php script from cron will invoke PHP-CLI environment, which is not the same as calling the same script from the browser.
For example there are no cookies and obviously there is no session by default.
However if you still want to enjoy the sessions , there is a way. You can try this:
<?php
session_id ("temp");
session_start();
print_r ($_SESSION);
?>
If you give us information about the final goal or the use case behind this script we can help you more!
I've just received the following error from a few sites I run:
Error Caught in Application_Error event
Error in:
https:///phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n
Error Message:A potentially dangerous Request.Form value was detected
from the client (="Stack Trace: at
System.Web.HttpRequest.ValidateString(String value, String
collectionKey, RequestValidationSource requestCollection)
Obviously, the ASP.NET has just rejected this - a good thing.
But what I do not understand, not being a PHP type chap, is what it is trying to do?
The attacker has sent PHP code in the HTTP request body, and he is trying to have that code executed by your web server.
The php://input references the request body (ie POST data). The auto_prepend_file directive allows the script to include PHP code in the same way that include() and require() work. If successful, the uploaded code would be prepended and executed.
The payload most likely contains a backdoor script and some code to call home to let the developer know that a hack was successful.
This is most likely a bot that has randomly selected your server, as opposed to a human manually attempting it.
The bug that the attacker is trying to exploit is CVE-2012-1823:
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
http://www.cvedetails.com/cve/CVE-2012-1823
Why doesn't this work?
// File hosted on `example.com`
// db-con.php
<?php
define("DB_HOST" , "host");
define("DB_NAME" , "name");
define("DB_USER" , "user");
define("DB_PASS" , "pass");
-
// File hosted on `another-example.com`
// index.php
<?php
include 'http://example.com/db-con.php';
echo DB_HOST;
-
// output
Notice: Use of undefined constant DB_HOST - assumed 'DB_HOST' in C:\Users\Alex\Dropbox\Shared\Web\htdocs\BASE_TEMPLATE\index.php on line 14
Surely by including the external file, the php is run, and the constants are defined?
You are not including the file as you see it, but instead including the response of the remote web server when that file is requested.
That is, the remote web server sees a request for db-con.php, loads it up, executes the code (defining constants in its own local process) and returns the output to you (which is probably empty, as the code does not echo anything). Therefore the end result is the same as if you had included an empty file.
Update: dug up the reference from the manual:
If "URL fopen wrappers" are enabled in PHP (which they are in the
default configuration), you can specify the file to be included using
a URL (via HTTP or other supported wrapper - see Supported Protocols
and Wrappers for a list of protocols) instead of a local pathname. If
the target server interprets the target file as PHP code, variables
may be passed to the included file using a URL request string as used
with HTTP GET. This is not strictly speaking the same thing as
including the file and having it inherit the parent file's variable
scope; the script is actually being run on the remote server and the
result is then being included into the local script.
So how to do it?
Well, including code from a remote server is something you shouldn't really think of doing (although there are ways to make it happen, it's a really bad idea). In any case you won't be able to do it without the explicit cooperation of the remote server (otherwise anyone could include anyone else's configuration file and use get_defined_constants to get the passwords). And if you do it, anyone else would be able to follow the same steps and get hold of your passwords. You don't want that to happen.
I'm upgrading a huge codebase for thousands of web pages to PHP 5.3 from an earlier version. We've dropped the use of short tags (<%, <\?=, etc...) and have them disabled in the php.ini and have made reasonable effort to find any in the code and replace them.
However, When someone creates something with or short tag or some legacy code still has one we missed, Apache returns a blank document with a 200 status. The problem is, PHP doesn't throw an error (obviously since it's not parsing them) and Apache doesn't seem to log it is an error either. This creates a problem for detecting these without visually inspecting all pages (a simple crawler is happy with the 200 the url returns).
Does anyone know of any way to get Apache or PHP to throw an error when it hits a short tag as a site is being crawled?
Can't really find a way to have PHP or Apache to issue some kind of a warning related to documents with short tags, but you could set a cron job to search all files under your server's web folder and for example send an email with the results, thus at the very least having pointed out the files with short tags on it:
Simple Example: cron job
<?php
// run grep command for '<?' that don't have an immediately p
$found = shell_exec('grep -rn "<?[^p]" *');
if ($found!='') {
// email or any other action...
}
?>
I have a rather complicated scenario that I have never really had to deal with before. I am creating a website that will be hosted on a web-server without PHP support. But I need to call a PHP script that returns a Flash Slideshow. Is there any way that I can do this? Here is the bit of PHP code that I need to call to return the Flash Slideshow.
<?php
//include slideshow.php to access the Insert_Slideshow function
include "http://mywebsite/slideshow.php";
//insert the slideshow.swf flash file into the web page
//tell slideshow.swf to get the slideshow's data from sample.php created in the first step
//set the slideshow's width to 320 pixels and the height to 240
echo Insert_Slideshow ( "http://mywebsite/slideshow.swf", "http://mywebsite/sample.php", 600, 500 );
?>
To run PHP on your server (not another server) you will definitely need to install a PHP processor.
However since you have a hard-coded URL in there, it looks as though the PHP code is just some kind of utility function for inserting a flash movie.
Run the PHP code on your local computer (for example) and see what HTML it generates, and if it always generates that same HTML, why not just copy it and use that in your website.
You could have the PHP script execute on a PHP enabled webserver somewhere else and include it in an iframe on the page without PHP support. That would be quite ugly, tho.
Although you obviously can't run PHP on a server that doesn't have it, if your slideshow doesn't change frequently perhaps you could run your PHP script on another machine, capture the output, then upload that to your web host.
This is not possible. If you need to call a PHP script, its obvious that you need PHP installed on the web server.