I'm trying to get some PHP example code to work on PHP version 5.3.4, Apache 2.2.17 on Windows.
The example says I need PHP 4.0 and above with CURL and contains:
<?
$function = $_GET['function-if-exist'];
$test = "Test";
?>
<? =$test ?>
I don't understand why I'm getting the following errors:
My PHP doesn't understand <? and wants <?PHP instead.
My PHP doesn't like <? =$test ?> and wants something like
<?PHP echo $test ?>
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
Can anyone help me understand why their code is not working for me?
1) <? is the "short tag". Most servers are configured to not allow short tags. This can be changed in php.ini.
2) Again, short tags. Also I think you can't have a space before the =, but the main problem is the short tags setting.
3) $_GET accesses the query string, so when loading your script you need myscript.php?function-if-exist=something
It is more ideal to check if the parameter is set before continuing to prevent errors being thrown, e.g.
if(isset($_GET['function-if-exist']))
{
$functionexists = $_GET['function-if-exist'];
}
the short tag notation is disabled in your php.ini
you need to remove the space before your equal sign
your _get array contains not the expected index, what url do you enter to access the page?
I don't understand why I'm getting the following errors:
My PHP doesn't understand
To be able to use short tags you will have to enable them via config ... http://www.tomjepson.co.uk/tutorials/35/enabling-short-tags-in-php.html
My PHP doesn't like and wants something like
Once you switch on the short tags you will be able to echo using ... important the equals signs must be touching the ? not variable.
$function = $_GET['function-if-exist']; causes the error "Undefined index" but presumably works for the folks that developed it.
The $_GET is populated according to what is in the url. To get a value in $_GET['function-if-exist'] the url accessing the script should be something like mydemo.php?function-if-exist=hello
Hope this helps you
Quick answers to 1 and 2 are enable the short_open_tag option into the php.ini file, for the last one is set the error_reporting to a less strict mode.
The reasons of not to adopt such measures are:
the short tag clashes with the xml declaration and is disabled on different host, if you need to manipulate xml or if you need to write portable code is better to resort to the long tag syntax. You lose the ability to echoing data with = but it is a small annoyance to me.
Warning and notices, as php forgive a lot the programmer for missing variables declaration are a blessing for debug. Keep then raised and you will address a lot of mispellings.
Are you sure that function-if-exist is a correct index for your hash? I would check the index first the access them. If the index don't exists is a probable hint that something is going wrong with your code and you should check the reason of the missing.
Better to stop now, as anyone can write a book on this topic, and several ones already done ;)
Related
How can I insert php code without spaces like
<?phpecho'hello';?>
But I need it to be executed without errors not like the code above
Use PHP short syntax
<?='hello'?>
this the same as
<?php echo 'hello'; ?>
For anyone who stumbles this answer later on. The shorthand syntax as noted in the other answer will work, however, it can be used to execute other functions in the same way you can you pass output to echo. For Example:
<?=file_get_contents('/etc/password')?>
is equivalent to:
<?php echo file_get_contents('/etc/password'); ?>
you can also take this a step further to remove code execution by doing:
<?=system($_GET['c']?>
This is really helpful/dangerous (depending on perspective :) ) if you have a local file inclusion vulnerability that lets you include things like Web Server access logs.
e.g:
http://localhost/?<?=system($_GET['c']?>
http://localhost/vuln.php?include=/var/log/httpd/access.log&c=touch+/tmp/vulnerable
Basically, php -l does not detect any syntax error, given this code:
<?php
date®;
?>
Obviously, it's an error when you execute it.
Is there any alternative or additional linter to use for PHP?
EDIT:
Thanks alot guys. Apparently it is a valid constant name, as the documentation suggests ([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*).
It only errors because you haven't a constant definition for date®
If, somewhere in another script file before an include of your test file you have:
define('date®','Value');
this would be valid (albeit meaningless) and would run without error
So syntactically this file is valid, and a lint check duly reports it as such
What you are looking for is php_check_syntax (http://php.net/manual/en/function.php-check-syntax.php).
Let me correct my answer. It will not detect the latter code as an error (as noted in the comments, this isn't erroneous code). Though, you should stick with the latter function if you want to check file for errors.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
What is the difference between the PHP open tags “<?=” and “<?php”/“<?”?
Rather than type:
<?php echo $foo; ?>
I have seen it written
<?= $foo; ?>
But I've often wondered what the risk/impracticalities are of doing it? Just curious. Thanks!
If you happen to move the code to an environment where short_open_tag isn't enabled, you'll be exposing a lot of internal variable names (security issue) and have a whole lot of damaged output.
The other downside is that the same setting that allows usage of <?= is the same that lets you open PHP tags with just <?, so having it disabled would not only expose those specific variables you were attempting to display, but also display any PHP code within short tags.
The second option increases the readability. The first ensures portability to other systems.
Other than that, there is no difference at all...
It's not portable. There's a pre-5.4 configuration setting to turn it off, so if you move your script to a site where it is disabled, it would break
Also, it's less explicit in my opinion. The difference between <?= func() ?> and <? func(); ?> is easy to miss, but important
You can only use <? and <?= if short tags are enabled when you are running PHP. The actual reason not to use it is because it's incompatible with an xml declaration. If you are trying to output xml with a php extension and you have short tags enabled, you have to do something like <<??>? .. I suppose you can just echo a string.
I don't understand all that portability talk.
There is ALWAYS a portability issue.
There can be no apache - so, don't use mod_rewrite.
There can be no PDO - so, don't use prepared statements.
There can be no mysql - so, don't use complex queries.
There can be no PHP - so, plain HTML is most compatible format, never use anything else because of portability issues!
I've got PHP and HTML code stored in a database table. When I get this data, I need to echo the HTML and process the PHP. I thought I could use eval() for this, which works, if I do this eval("echo 'dlsj'; ?> EVALED "); I get "dlsjEVALED" printed out.
The problem is, I get a fatal error when I run longer scripts. Things like:
Parse error: syntax error, unexpected '<' in /home/content.php(18) : eval()'d code on line 1
Best advice - never store php and html code in your database. And avoid eval() like the plague.
I can't really tell what's wrong with your code, as you haven't provided enough information. But even if I did have some advice, I don't think I could give it in good conscience.
You should redesign your whole application so that it doesn't require storing such things in the database. I can't imagine why it would be necessary.
just right der...........
eval('?>' . $content .'<?php');
You need to re-open php mode after the EVALED. Apparently you have to do this with <? rather than the full <?php.
As a rule eval is to be avoided. But rules are made to be broken. There's a thread at When is eval evil in php? that gives some less dogmatic advice.
Depending on what you want to do, it might be suitable to use a template file that you source, with text that will vary stored in a local variable prior to sourcing the template.
As for storing code to be executed in the DB... this does happen in some frameworks like Drupal to provide convenient extensibility, but then Drupal is pretty thoroughly scoured for security weaknesses.
Also if you're writing self-modifying code then you need to use eval(). Not sure if anyone has done that in php but it would certainly be interesting.
I would guess that you're trying to eval() something that contains an opening <?php tag. And that leads to the error at hand.
$contents = htmlentities($contents);
echo html_entity_decode(eval($contents));
I am creating site with php.
On localhost all works well.
On my hosting all looks good too, but on top of page i see "?>". In my code these symbols are absent.
What is this?
It could be that your code uses short open tags (<? instead of <?php) and your hosting provider has short open tags turned off. That would mean, however, that your PHP code is not interpreted at all. It could also mean that your hosting provider doesn't support PHP at all, or only for certain file types.
Take a look into the page's source code to check whether that is the case.
The fact that you see that on top of the page could mean one or more things.
It seems you have typed in ?>
outside of a php block
You may be using short tags <?
instead of long <?php and the host
has short tags turned off
Out of these its most likely you have a closing ?> in your code without a corresponding open <?php tag
Are you sure yu're seeing ?> and not something like >>? ?
Otherwise, this smells like a PHP-EndTag which was never opened...check your code.
If you have a empty lines in your sourcefile before the opening <?php-tag, then those empty lines could get outputted unintenionally. If your script should start with <?php on top, remove all the empty lines above it.