I'm developing a web application where an html page is created for the user. The page could include anything that the user puts in it. We take these pages and add a little PHP at the top to check some things before outputting the actual html. It would look kind of like this:
<?php
require 'checksomestuff.php';
// User's html below
?>
<html>
<!-- user's html -->
</html>
Is there a way to stop PHP from parsing anything after my require? I need the html to be outputted, but, since the user can add anything they want to the html, I don't want any user-added PHP to be executed. Obviously that would be a security issue. So, I want the user's html to be outputted, but not parse any PHP. I would rather not have to put the user's html into another file.
One sensible way would be to offload the user created content to another file and then you should load this file (in your main php file) and output it as is - without parsing it as PHP.
There are many other ways to do this but if creating another file does the job for you then thats probably the best way forward.
UPDATE: Really must read last line of question!
You could encode the html into a variable using base64 encoding which you then just print out the decoded string.
If you don't store the file data in a php file, say n a txt or html file, the php won't be evaluated.
Alternatively you could read the file via file_get_contents() or by some other means which doesn't involve evaluating php.
Though I'm still tempted to ask why you want to do this (particularly this way), it sounds to me like one of the only things that can help you is the special __halt_compiler() function...
That should prevent it from executing the rest of the page, and may or may not output the rest of it. If not, well, read the first (and currently only) example in the PHP's manual for that function (linked above) for how to do it manually.
The only trouble I see with this method is that you'd probably have to have that code in every file you want to do this for, after your require.
Related
Consider the following script:
file_put_contents('/var/www/html/myfile.php', $header.$_POST['users_html'].$footer);
$header and $footer are safe, however, $_POST['users_html'] is suspect.
The intent is $_POST['users_html'] is HTML, but obviously someone could maliciously post something else. The content will not be stored in a DB or used in a SMS, and /var/www/html/myfile.php will be public and only opened by Apache. While I didn't show it and am not asking about this part, after I know $_POST['users_html'] is safe, I will be replacing certain tags such as {{1}} to <?php echo(getSomething(1));?> using regex.
Assume I am not concerned with JavaScript threats, and my only concern is someone running PHP on the server which I did not intend.
Other than ensuring that $_POST['users_html'] doesn't contain any <? tags, what should be done?
If it's only going to be pure HTML, then treat it as such. DO NOT put in into a PHP file - it will end up being run like a little Bobby PHP script. Save to a separate file (outside the web-root, so it cannot be accessed directly from the website).
Never include/require it, always echo file_get_contents() or fpassthru() the file and BEFORE you save it, run the code through a Whitelist HTML filter - such as the htmlpurifier library, and then put it to disk or database.
So, probably not a great idea, but at least this way, you'll have a chance.
Have a abstract how-to question which I haven't found a solution.
Lets say you built a plugin for a CMS like wordpress, I'm using a MCMS called GetSimple.
And now within that plugin.. when a button is clicked by the user... two external php files have their code ran and their output taken and put collectively into a single static file.. say a html or css file.
So then in this kind of scenario... how can you (within the plugin) run an external php file without effecting the current page you are on, then take that output and put it as a string into a variable.. repeat this for another php file... then take the two string outputs, merge them... then put them into a single static file?
This has proven to me to be a very difficult task.
for more details you can see this question:
https://stackoverflow.com/questions/15080163/how-to-create-a-file-with-php
So how would you go about doing this?
I was looking at the possibility of saving each file's output into separate xml files and then merging those xml files... but the problem still remains of running external php and putting that data somewhere without affecting the current page PHP you are on.
If you can generate the response on the server-side, you could simply run those PHP scripts using for example shell_exec() or using Symfony2 Process Component, then gather the results using file() or file_get_contents() functions.
If you need to have this things generated on button click, you must notify server to handle that tasks, and to do so you need to make an AJAX calls calling that scripts using methods I've told you above.
I am creating some kind of custom CMS (home automation).
Well I am not a PHP developer - just hobbyist.
What I am trying to achieve is:
In my index.php page I have something like:
"<?php echo $pageBody; ?> "
PageBody I am fetching from Database, well it works well for HTML, JS. But it doesn't work with PHP code source.
I done some research I believe this is related to PHP security restrictions.
My question: Does anybody would be able to provide safe sample (cannot find any samples like this) - how I should do this.
I am trying to insert some php code and render it eventually via browser:
<div id="outer">
<div id="inner">
***PHP Code should go here***
</div>
</div>
At the minute - it is being rendered as text. However I can render properly HTML and JS.
My preferable way would be - as much as possible secure.
Many Thanks Guys!
When you retrieve PHP code from a database text field, the PHP interpreter does not "know" that it should parse the data as a PHP script. To the PHP interpreter, the data in that field is no different from any other data -- it is all strings without any special significance.
You could use eval (docs) to accomplish this if you're dealing with pure PHP scripts. Be forewarned: eval is considered "evil" because using it comes with risks, especially if your users will have any input as to the content of the database.
In your case, it sounds like you want to parse mixed PHP and HTML that is stored in a database field. In order to do this, you'd need to write the database data into a file, then include it so the PHP interpreter can do its thing. You should implement some kind of caching mechanism in this process, otherwise it might become heavy on your server with many users. You may also want to use output buffering (docs) to capture the output instead of immediately sending it out.
Briefly, you'd want to do something like this:
$content_from_db = "<h1>Hello <?php print 'Clarisse'; ?></h1>";
$identifier_from_db = '12'; // like the primary key from the table
$file_handle = fopen('cached_content/CACHE_'.$identifier_from_db.'.php', 'w');
fwrite($file_handle, $content_from_db);
fclose($file_handle);
// here is where you'd start output buffering, if you're going to do that (optional)
include('cached_content/CACHE_'.$identifier_from_db.'.php');
// and then here you retrieve the output buffer's content (optional)
Please note that this is not a "traditional" way of including dynamic content, and the above code is not production-ready. Without knowing your use case, I can't say for certain, but this idea of storing PHP code in the database is a rather unusual way to proceed.
Another alternative to rolling your own is the smarty template library. Check it out here: http://www.smarty.net. With smarty, you can write a resource plugin to pull the templates from the database. It would look something like the code above (more info)
Documentation
fwrite - http://php.net/manual/en/function.fwrite.php
include - http://php.net/manual/en/function.include.php
PHP basics on theopensourcery.com - http://theopensourcery.com/phpbasics.htm
Server-side scripting on Wikipedia - http://en.wikipedia.org/wiki/Server-side_scripting
eval - http://php.net/manual/en/function.eval.php
Output Control (buffering) - http://php.net/manual/en/book.outcontrol.php
Smarty - http://www.smarty.net
to execute PHP that you store in a string (or database) you can use the eval function, but be careful it could be somewhat dangerous.
You can't render (probably you mean execute) php code in the browser, because php scripts execute on the server and then the output is sent to the browser. By the time the browser recieve the response, script has already finished execution.
You can fetch the code from database and use eval() before sending the output. But you must be aware of drawbacks from this approach.
Browser cannot render (execute) PHP code. PHP is something that the server executes and sends to the browser as plain HTML to display.
For testing purposes you can download and install WAMP thats the most hassle free one stop solution for development.
link : http://www.wampserver.com/en/
Is there a way to redirect using PHP without using header("Location: http://www.google.com")? I put that at the top, right after a PHP script (which has no output), but it doesn't work. I use the PHP to check something in the database, and it will redirect depending on the contents.
"Right after a PHP script"? Well, it's going to have to be in a PHP script to work.
If that's not it, please consider showing your previous code. Remember, don't post a question asking how to implement your solution, but rather the question itself...
Your code should always work as long as the header is called before any echo or print statements that send output to the browser. Another possibility is your webserver sending out additional output or headers that are causing the redirect to not work.
One way to test would be to telnet to your webserver and send GET /myscript.php. Then view the result and see if it is what you expect.
Per the PHP documentation:
Remember that header() must be called before any actual output is
sent, either by normal HTML tags, blank lines in a file, or from PHP.
It is a very common error to read code with include(), or require(),
functions, or another file access function, and have spaces or empty
lines that are output before header() is called. The same problem
exists when using a single PHP/HTML file.
Without seeing the actual code that the redirect resides in it will be difficult to assist. Perhaps if you could provide more details then someone may be able to suggest another technology to help but the header method is the only one that I've came across.
I have a website displaying data from MySQL in a php file (/something.php).... i want to copy the source code of that page as HTML so i can use it in a textfield box so users can copy paste that code...
It's almost like an HTML generator using info from mySQL, so users can custimize each HTML code.
I have everything covered... except the display HTML thing.
echo htmlspecialchars(eval(file_get_contents('path/to/your/file')));
Eval is generally frowned upon however but this is a quick and easy solution.
You need to escape the HTML into HTML entities. For instance, convert < into <.
You need to actually request the page from the web server, not simply read its contents in order for the PHP to execute and produce the result. That is, if I understand correctly that PHP (the file you were simply reading) is querying the database to actually fetch the desired HTML to display.
So, something like (if permitted) file_get_contents("http://url_of_php_file_you_were_simply_reading_not_requesting"); , then of course run that through htmlspecialchars();
Better to just use CURL to stay portable when requesting the page.
There's a php function htmlspecialchars you should look into.
For rendering check either eval (quick & dirty) or ob_start and friends (the more complex way to do it, though safer and generally supported by more hosters).