The best way to describe my website is to simply give you a link so that you can look at it: http://opensourcewebsite.host22.com/editpage.php. Basically, this is a website that people who are learning how to design websites can go on and test their code. I already know that in the sites current state, it is very susceptible to various attacks. Note that this is not the finished site. Users will enter their code in the textare and when the submit button is clicked, the code is saved in a php variable which is then displayed on the web page. Currently you can use html code, css, and javascript code and have it display correctly.
My problem is that I want the user to be able to enter php code in the textarea and have it display the results on the webpage. Feel free to go to my site and enter code to get a feel for how the page works. When you enter php code you get something similar to the following:
When you enter
<?php $hi = "hello"; ?>
<?php echo '<p>$hi</p>' ?>
it will show the following in the source code
<!--?php $hi = "hello" ?-->
<!--?php echo '<p-->$hi<p></p>' ?>
The below code is how I echo the source code in the text area
<div id="editArea"><?php echo stripslashes($source_code) ?></div>
Is it even possible to store php code in a php variable? Any help would be greatly appreciated!
Additionally, if you want it to execute as code, use eval($code);
Though, I have to say what you are doing sounds extremely dangerous.
Related
I'm looking to divide up my page into smaller sections for ease of organising my content. Other websites I've seen have used the system of having the main page url then a question mark and the next page name after it (eg. www.website.com/page.php?secondpage)
For what I want to achieve, see an example here (under collecting, current, etc). For my current page, see here.
Thanks for your help!
you can try like this in your html
a href="page.php?collections">collections
in your php code, you can write
<?php if($_SERVER["QUERY_STRING"] == 'collections'){ ?>
//second page code goes here
<?php } ?>
I am using ckeditor in a simple cms i build with the following configuration.
<script>
if ($("#editor").length) {
CKEDITOR.replace('editor', {
language: 'en',
allowedContent: true,
});
CKEDITOR.config.protectedSource.push(/<\?[\s\S]*?\?>/g);
}
</script>
It works great if go to the source tab on the editor and type some php code like the following:
<?php echo "hello"; ?>
it gets saved on the database as <?php echo "hello"; ?>
so far so good
Now my problem is when getting that from the database and displaying it on the browser it does no appear.
I did a var_dump on the variable that has the code and i see the following:
...modules\pages\views\base.php:38:string '<?php echo "hola"; ?>' (length=21)
So the value does exist and its reaching the view, i dont undestand why it is not showing up on the page.
the page is template.php
if i look at the source code my php code is beingg commented
<!--?php echo "hola"; ?-->
and this is how i am trying to display the code
if i do the following
<div class="article-content-container">
<?php echo $this->security->xss_clean($content); ?>
</div>
it is displayed like
<div class="article-content-container">
<?php echo "hola"; ?><!--?php echo "hola"; ?-->
</div>
if i displayed like this
<div class="article-content-container">
<?php echo $content; ?>
</div>
it gets commented.
I hope i was clear,any help would be appretiated.
Thanks guys-
Browsers don't interpret PHP code, and they don't know the slightest thing about it. They never have and they never will. PHP code is executed on the server; from there it produces some output that is echoed to the client's browser, usually HTML, but can also be CSS or JavaScript, images or other downloadable files.
If you output PHP code, the most the visitor can do with it is manually save it to a local file, install their own PHP software, and run it in that. It's never going to magically run in the browser, no matter what you do.
If you want to run some code in the browser, it must be JavaScript. If you want to run some PHP code on the server, don't echo it, eval it:
<div class="article-content-container">
<?php eval($content); ?>
</div>
Note that eval treats its input as already having a PHP open tag, so you would pass echo "hello"; to it rather than <?php echo "hello"; ?>. You can still use ?> within the eval'd code to drop back to HTML+PHP mode if you need to.
Either PHP or JavaScript code could trivially be designed to be hostile, and so submitting any markup or code for execution on your website must be treated as a privileged action. You must make sure not to allow anyone who is not an authenticated administrator of your website to do it. There are ways to sandbox or purify such code if you really have to allow random people to run it, but that is more complex. CodeIgniter's xss_clean is an incomplete attempt to stop XSS, and is certainly not designed for executing user-submitted code safely, although it will mangle code and make it annoying to write.
In general:
If you need to execute submitted PHP then use eval($content);.
If you need to output submitted HTML, which may include executable JavaScript, then use echo $content;.
If you need to output submitted plain text (which is the only form where it is normally safe to allow input from users), then use echo htmlspecialchars($content);.
If you don't save your php tags in the database, you could use eval() for running the saved code:
eval($this->security->xss_clean($content));
Only when the saved bit is not surrounded by <?php and/or ?>
EDIT: Letting people run code from a database or even saving code in a database is a potential risk. It could be exploited.
I'm trying to create a facebook share button in each of my post, and the share content will be dynamic, which mean I will be able to customize its thumbnail, title and description for each of the post.
below is the code that I use(I'm using advance custom field plugin in wordpress by the way):
<a onClick="window.open('http://www.facebook.com/sharer.php?s=100&p[title]=<?php the_field(videotitle); ?>&p[summary]=<?php the_field(video_description); ?>&p[url]=<?php echo get_permalink(); ?>&p[images][0]=http://img.youtube.com/vi/<?php the_field(youtube_thumb); ?>/maxresdefault.jpg','sharer','toolbar=0,status=0,width=548,height=325');" href="javascript: void(0)" rel="nofollow"></a>
///////////////////////////////////////////////////////////////////////////////////////////////////////
Below is the php that will echo out my content from my CMS:
<?php the_field(videotitle); ?>
<?php the_field(video_description); ?>
<?php echo get_permalink(); ?>
The code works fine, but I noticed when I enter the the title/description too long or use special characters in my post the button stop working.
How should I overcome this? I'm still very new to php, please explain in layman's term if possible and thank you in advance.
The problem is most likely caused by passing in unescaped special characters into a direct javascript call.
Right now, you have the following javascript executing when the link is clicked:
window.open('http://www.facebook.com/sharer.php?s=100&p[title]=<?php the_field(videotitle); ?>&p[summary]=<?php the_field(video_description); ?>&p[url]=<?php echo get_permalink(); ?>&p[images][0]=http://img.youtube.com/vi/<?php the_field(youtube_thumb); ?>/maxresdefault.jpg','sharer','toolbar=0,status=0,width=548,height=325');
You are passing in several PHP variables, which may alter the format of your javascript. For example, let's say the_field(videotitle); returns Maria's Video. If you note, your string has a quote in it due to Maria's.
Now, you if pass this title into your javascript, you're going to have an un-escaped quote, causing a JS error, because it will output like this:
... [title]=Maria's Video ...
To address this, you must format out PHP output to ensure that it will not affect the JS code. In my example, you can encode the outputted strings using the urlencode function included with PHP, like this:
<?php urlencode(get_the_field(videotitle)); ?>
Just remember that passing PHP variables into javascript CAN alter the syntax of your javascript function. If the final javascript function contains syntax errors caused by the PHP output, it will not run.
You can see the javascript errors on the page you are debugging by hitting F12 in your browser and viewing the Console tab.
I'm looking for a way where you can write something normal text, ie content / problem for snakes code, for example in [div] [/ div] code could stand without problems where it does not appear or anything,
Therefore I search for a way to make that I can make normal html text but contemporaries do some code if you have problem
right moment, I use tiny mce to make some text, but when I should have known it since I do like this,
<?php echo strip_tags($tekst);?>
how come it appears on the page:
<?php echo \"Hello\";?>
what I want is just here on this page about writing some text and some code to the problem or the like, I'm thinking if I can fix it the same way or look like?
Sorry for the vague title but it's hard to describe what I mean in a few words.
I made my own cms and use it for all my personal projects. On some pages I want to include a php script in the content area. I load the content simply by echoing the variable that holds the content.
The template file looks like this:
<div id="content">
echo $content;
</div>
In my CRUD I make a post containing a php snippet.
<?php echo "My name is ".$var.""; ?>;
Then I save it and load the page and this is what happens:
<div id="content">
echo <?php echo "My name is ".$var.""; ?>;
</div>
But what I want is that the php code get's executed instead of getting echoed.
Something like the Wordpress plugin Exec-PHP. Can anybody explain to me how to achieve this?
Thanks in advance!
You could use the PHP eval() function to execute PHP code. Be aware though, if you ever allow users to insert text that may at some point be run through eval(), you could end up with some serious problems.
The php website says:
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
You can try php eval() func. But it is considered evil.
Rather than use PHP instructions, why don't you output to HTML, and use Javascript to execute what is displayed? There is no danger to your server that way. Others have already warned about the dangers of eval() in PHP.