Very simply, i want to make a variable reads the html code as string ,, i mean dont execute it (run it) .
the problem with the code is : i have a html file , and i want to get the content of it , and make some preg_replace for it (run a function on the html code), the problem is i cant use preg_replace, or any another function because the html code is executed by php (php reads the html code)..
i wish you understand me, i want something like highlight_string, but it save the html code in the variable.
Thank you.
you're probably trying to include or require the HTML code.
which is incorrect since it is evaluated as part of the source.
instead, use a function such as file_get_contents() to read the file into a string.
Use file_get_contents() as #David Chan suggested and then pass the result through htmlentities()... it converts the characters to HTML entities (i.e., < to <).
$getTheContent = file_get_contents($filepath);
echo htmlentities($getTheContent);
It should return the code, not executed.
Related
I call for example this element SEND_EXTRA_ORDER_EMAILS_TO form my database
SEND_EXTRA_ORDER_EMAILS_TO = test<test#test.com>
when I write in my php code an echo, print_r or var_dump
eg
var_dump(SEND_EXTRA_ORDER_EMAILS_TO) it write only test.
do you have an idea how to resolve this element be cause it's make to send an email
I use php 7 and mysql 7
Tk
You can use htmlspecialchars() to escape the string so your browser wont treat your string as HTML.
$code = "<h1>Hello world</h1>";
echo htmlspecialchars($code);
// Will output <h1>Hello world</h1> without rendering the HTML in the browser
try with that htmlentities(EMAIL_FROM) and works
I have a problem with eval() function. Please do not comment something like "Don't use eval" or anything of this kind of thing, as this is not helpful. I have a very good reason to use eval().
Basically I am getting a value from a text field in html on my web page as input code to be executed, like so:
$code = $_POST['code'];
Then, am passing that value to eval function in the html body, like so:
eval($code);
the results are displayed like this:
<h1>test</h1>
the above is displayed string. I want this to execute the html part of it is well. Funny thing is if I try this in a different file like this:
<?php
$code = "echo '<h1><b>TEST</b></h1>';";
eval($code);
?>
I get the desired result, which is a proper processed html element h1 with "TEST" in it.
Any ideas?
Thanks in advance
$_POST['code'] apparently contains HTML entity codes, e.g.
"echo '<h1>test</h1>';"
You need to decode it before calling eval.
eval(html_entity_decode($_POST['code']));
I m using the php function file_get_contents to parse a php file. But it seems that as soon as it is reading the php tags the file_get_contents is malfunctioning.
I checked the function with a normal text file, its functioning perfectly. But even if it finds php tags in a text file, the file is being half read. How can i find a way to get the full contents.
Is the file local? Or are you trying to get a remote file? How did you check that the content is not read? Echoing it to a browser might trick you because of the < char in <?php
Use htmlspecialchars or <pre> to view the whole text. Or just look at the source of the page.
I have url ( with file_get_contents ) and this link have script tags, how can I remove them?
Try the following regex (taken from the jQuery sourcecode).
$data = preg_replace('/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi', '', $data);
And before somebody is going to tell me that Regexes+HTML are an evil combination: You are right, but in this specific case it's perfecly valid since script tags have some specific behaviour such as that the first </script> will close the script tag; no matter if it's inside quotes etc.
However, if you plan to do anything else with the HTML data, use a HTML parser!
Read this: Writing secure PHP
Also, please don't steal content, if that's what you are doing.
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.