This is a follow-up question to the one I posted here (thanks to mario)
Ok, so I have a preg_replace statement to replace a url string with sometext, insert a value from a query string (using $_GET["size"]) and insert a value from a associative array (using $fruitArray["$1"] back reference.)
Input url string would be:
http://mysite.com/script.php?fruit=apple
Output string should be:
http://mysite.com/small/sometext/green/
The PHP I have is as follows:
$result = preg_replace('|http://www.mysite.com/script.php\?fruit=([a-zA-Z0-9_-]*)|e', ' "http://www.mysite.com/" .$_GET["size"]. "/sometext/" .$fruitArray["$1"]. "/"', $result);
This codes outputs the following string:
http://mysite.com/small/sometext//
The code seems to skip the value in $fruitArray["$1"].
What am I missing?
Thanks!
Well, weird thing.
Your code work's perfectly fine for me (see below code that I used for testing locally).
I did however fix 2 things with your regex:
Don't use | as a delimiter, it has meaning in regex.
Your regular expression is only giving the illusion that it works as you're not escaping the .s. It would actually match http://www#mysite%com/script*php?fruit=apple too.
Test script:
$fruitArray = array('apple' => 'green');
$_GET = array('size' => 'small');
$result = 'http://www.mysite.com/script.php?fruit=apple';
$result = preg_replace('#http://www\.mysite\.com/script\.php\?fruit=([a-zA-Z0-9_-]*)#e', ' "http://www.mysite.com/" .$_GET["size"]. "/sometext/" .$fruitArray["$1"]. "/"', $result);
echo $result;
Output:
Rudis-Mac-Pro:~ rudi$ php tmp.php
http://www.mysite.com/small/sometext/green/
The only thing this leads me to think is that $fruitArray is not setup correctly for you.
By the way, I think this may be more appropriate, as it will give you more flexibility in the future, better syntax highlighting and make more sense than using the e modifier for the evil() function to be internally called by PHP ;-) It's also a lot cleaner to read, IMO.
$result = preg_replace_callback('#http://www\.mysite\.com/script\.php\?fruit=([a-zA-Z0-9_-]*)#', function($matches) {
global $fruitArray;
return 'http://www.mysite.com/' . $_GET['size'] . '/sometext/' . $fruitArray[$matches[1]] . '/';
}, $result);
i write it again, i don't understand good where is the error, the evaluation of preg results is very weird in php
preg_replace(
'|http\://([\w\.-]+?)/script\.php\?fruit=([\w_-]+)|e'
, '"http://www.$1/".$_GET["size"]."/sometext/".$fruitArray["$2"]."/";'
, $result
);
It looks like you have forgotten to escape the ?. It should be /script.php\?, with a \? to escape properly, as in the linked answer you provided.
$fruitArray["\$1"] instead of $fruitArray["$1"]
Related
I need to be able to store and echo regular expressions. In my case the user enters the regex into a form and that exact sequence of characters needs to be echo-ed to the screen sometime later. The problem is that the echo changes the characters.
So for instance I have tried this
$regex = '(?<=amount\">\$)(.*?)(?=</strong>)';
but when I echo it..
echo $regex;
I get...
((((amount\">\$)(.*?)(?=)
If I do this
$regex = htmlentities($regex);
I get this which helped with the missing part of the regex but not the multiple ((((
((((amount\">\$)(.*?)(?=</strong>
htmlspecialchars did not help either.
How do I get it to echo the variable exactly as it is written? And what would I need to do to store them in MySQL and retrieve them exactly as written?
EDIT - in response to some observations below, I add a bit more detail. This new example was done on a PHP 7.1 server in the cloud, Centos 7 rendered using Chrome.
$regex = '(?<=amount\">\$)(.*?)(?=</strong>)';
$page_elements_regex[1][0] = $regex;
$page_elements_regex[1][1] = addslashes($regex);
$page_elements_regex[1][2] = htmlspecialchars($regex);
$page_elements_regex[1][3] = htmlentities($regex);
echo "regex " . $page_elements_regex[1][0] . "<BR>";
echo "addslashes " . $page_elements_regex[1][1] . "<BR>";
echo "htmlspecialcharacters " . $page_elements_regex[1][2] . "<BR>";
echo "htmlentities " . $page_elements_regex[1][3] . "<BR>";
Results
regex ((((amount\">\$)(.*?)(?=)
addslashes ((((amount\\\">\\$)(.*?)(?=)
htmlspecialcharacters ((((amount\">\$)(.*?)(?=</strong>)
htmlentities ((((amount\">\$)(.*?)(?=</strong>)
It is also a big clue that if you take off the first ( like this
$regex = '?<=amount\">\$)(.*?)(?=</strong>)';
The result removes the first a of amount!! Is it interpreting the regex instead of echoing it?
?(((mount\">\$)(.*?)(?=)
I have solved it, and I feel a bit foolish about the answer. My bad.
Somewhere else in my code I had this
$regex[1] = '(?<=amount\">\$)(.*?)(?=</strong>)';
$regex[2] = '(?<=amount\">\$)(.*?)(?=</strong>)';
$regex[3] = '(?<=amount\">\$)(.*?)(?=</strong>)';
I have no idea why this gave the result it did, rather than a straight up error, but once removed it all is fine. The bottom line is that both htmlspecialcharacters and htmlentities give the right answer, Lesson learnt. Check all the code, my mistake was in the use of arrays, defining $regex as an array and a variable, not as I first thought here.
This is the code Im getting the error on:
$show_nav = preg_replace('#\{\$SUBMENU([0-9]+)\}#',implode("\n",$sub_menu['submenu$1']),$show_nav);
So basically I want to replace a string within the $show_nav variable such as {$SUBMENU2} with data from the sub menu array. I tested and it works just fine if I manually put in the number like so:
$show_nav = preg_replace('#\{\$SUBMENU([0-9]+)\}#',implode("\n",$sub_menu['submenu2']),$show_nav);
I also verified the regex is grabbing the proper variable by doing this:
$show_nav = preg_replace('#\{\$SUBMENU([0-9]+)\}#','$1',$show_nav);
It replaces the string with what is found in the {$SUBMENU} string. So if its {$SUBMENU3} it gives me back 3, {$SUBMENU5} it gives me back 5. But I cant seem to get it to dynamically read the $1 variable. I tried adding curly brackets, still same error:
$show_nav = preg_replace('#\{\$SUBMENU([0-9]+)\}#',implode("\n",$sub_menu['submenu{$1}']),$show_nav);
or:
$show_nav = preg_replace('#\{\$SUBMENU([0-9]+)\}#',implode("\n",$sub_menu['{submenu$1}']),$show_nav);
I know Im entering it wrong, but cant figure out the proper way of doing it. Any suggestions?
****UPDATE****
Thanks for the suggestions provided by Toto and Wiktor Stribiżew this is the code that resolved my issue, thanks again!!!
$show_nav = preg_replace_callback(
'#\{\$SUBMENU([0-9]+)\}#',
function($m) use($sub_menu) {
if(isset($sub_menu['submenu' .$m[1]]))
{
return '<ul class="nav-dropdown">' .implode("\n",$sub_menu['submenu' .$m[1]]) .'</ul>';
}
},$show_nav);
preg_replace_callback is your friend:
$show_nav = preg_replace_callback(
'#\{\$SUBMENU([0-9]+)\}#',
function($m) use($sub_menu) {
return implode("\n",$sub_menu['submenu'.$m[$1]])
},
$show_nav);
I have website where users can search posts by entering keywords,
I am using Sphinx search for full text search, everyhting is working as expected.
But when i enter/input some special charaters in search query the search dosnt complete and throws error.
e.g.
keyword i search for :
hello)
my query for sphinxql :
SELECT id FROM index1 WHERE MATCH('hello)')
error i get :
index index1: syntax error, unexpected ')' near ')'
my php code looks like this
<?php
$sphinxql = mysqli_connect($sphinxql_host.':'.$sphinxql_port,'','') or die('ERROR');
$q = urldecode($_GET['q']);
$sphinxql_query = "SELECT id FROM $sphinx_index WHERE MATCH('".$q."') ";
?>
How can i escape user input and make sure the query wont brake and return the result set ?
You should use SQL escaping, to avoid SQL injection.
http://php.net/manual/en/mysqli.real-escape-string.php
$sphinxql_query = ".... MATCH('".mysqli_real_escape_string($sphinxql,$q)."') ";
... BUT you may want to ALSO, escape extended syntax.
See the FIRST THREE POSTS (after that it delves into misunderstanding) in this thread in the sphinx forum
http://sphinxsearch.com/forum/view.html?id=13619
For a simple solution.
The function in that thread, can be used to make your query work. It will escape the ) and stop it being taken as a operator.
BUT, it also means you WONT be able to use any search operators - because it blindly escapes them ALL. (which is the confusion later in the thread)
If you want to be able to use some or all operators, need to use more advanced escaping. (which I dont have a good solution for)
Edit: actully lets go the whole hog...
<?php
//Escapes all the Extended syntax, so can accept anything the user throws at us.
function EscapeString ( $string ) {
$from = array ( '\\', '(',')','|','-','!','#','~','"','&', '/', '^', '$', '=' );
$to = array ( '\\\\', '\(','\)','\|','\-','\!','\#','\~','\"', '\&', '\/', '\^', '\$', '\=' );
return str_replace ( $from, $to, $string );
}
if ($allow_full_extended_syntax) {
$q = $_GET['q'];
// the user is responsible for providing valid query.
} elseif ($allow_partical_extended_syntax) {
$q = InteligentEscape($_GET['q']);
//I don't have this function, it would need to be created.
} else {
$q = EscapeString($_GET['q']);
// escapes ALL extended syntax. NO operators allowed
}
$sphinxql_query = ".... MATCH('".mysqli_real_escape_string($sphinxql,$q)."') ";
Then it sounds like you want both $allow_full_extended_syntax and $allow_partical_extended_syntax set to false. Which means no operators will work, because they will be fully escaped.
The EscapeString function needs to escape the < character as well. Also see escapeString function in PECL shpinx for reference.
Could someone point out what I'm mistaking here? :)
<?php
$q = $_GET[q];
$acuman = <<<PARSE
input: (contains: "hello"){
output: "hello";
}
PARSE;
$acuman = str_replace("input: (contains: ", 'if(strpos(', $acuman);
$acuman = str_replace("){", ', $q) !== false) {', $acuman);
$acuman = str_replace("output: ", '$output = ', $acuman);
eval($acuman);
?>
I'm attempting to execute the string $acuman, a heredoc which has been altered by various str_replace functions. However, it is not doing what I intend it to do, and I am confused as of what to do as I've tried many different things.
Since many people seemed confused: My intention is for the code in the string $acuman to be executed as code properly. I just want the eval function to work. I know that eval is evil, please, stop: I'm just asking for help for solving the problem at hand.
Edit: When I echo the string $acuman, this is what I get:
if(strpos("hello", $q) !== false) { $output = "hello"; }
You have the arguments in the wrong order:
if(strpos($q, "hello") !== false) { $output = "hello"; }
strpos() takes the "haystack" (string being searched) as the first argument and the "needle" (string to find as within the "haystack") as the second argument.
Ok, so... $acuman appears to contain the following:
if(strpos("hello", $q) !== false) {
echo "hello";
}
Which indicates that $q needs to contain a portion of "hello" to echo the string "hello".
I don't see any problem here, EXCEPT that $q = $_GET[q]; won't work with any modern version because q is treated like a constant, not a variable nor a string literal array index. See this PHP documentation on the subject.
Upon changing to $q = $_GET['q']; instead (note the quotes), it seems like this code actually works. It will output "hello" whenever passing any portion of "hello" to the URL parameter (which gets passed to the PHP code).
Needless to say: Do not use this code for production. The code as it is is very vulnerable and allows a user to pass raw PHP code through to your script to execute. The function of this code can be completely re-written in a much safer manner, but you have expressed the desire to continue using eval(); so please be careful.
Enjoy.
I would like to know if it's possible to execute the php code in a string. I mean if I have:
$string = If i say <?php echo 'lala';?> I wanna get "<?php echo 'dada'; ?>";
Does anybody knows how?
[EDIT] It looks like nobody understood. I wanna save a string like
$string = If i say <?php count(array('lala'));?>
in a database and then render it. I can do it using
function render_php($string){
ob_start();
eval('?>' . $string);
$string = ob_get_contents();
ob_end_clean();
return $string;
}
The problem is that I does not reconize php code into "" (quotes) like
I say "<?php echo 'dada'; ?>"
$string = ($test === TRUE) ? 'lala' : 'falala';
There are lots of ways to do what it looks like you're trying to do (if I'm reading what you wrote correctly). The above is a ternary. If the condition evaluates to true then $string will be set to 'lala' else set to 'falala'.
If you're literally asking what you wrote, then use the eval() function. It takes a passed string and executes it as if it were php code. Don't include the <?php ?> tags.
function dropAllTables() {
// drop all tables in db
}
$string = 'dropAllTables();';
eval($string); // will execute the dropAllTables() function
[edit]
You can use the following regular expression to find all the php code:
preg_match_all('/(<\?php )(.+?)( \?>)/', $string, $php_code, PREG_OFFSET_CAPTURE);
$php_code will be an array where $php_code[0] will return an array of all the matches with the code + <?php ?> tags. $php_code[2] will be an array with just the code to execute.
So,
$string = "array has <?php count(array('lala')); ?> 1 member <?php count(array('falala')); ?>";
preg_match_all('/(<\?php )(.+?)( \?>)/', $string, $php_code, PREG_OFFSET_CAPTURE);
echo $php_code[0][0][0]; // <?php count(array('lala')); ?>
echo $php_code[2][0][0]; // count(array('lala'));
This should be helpful for what you want to do.
Looks like you are trying to concatenate. Use the concatenation operator "."
$string = "if i say " . $lala . " I wanna get " . $dada;
or
$string = "if i say {$lala} I wanna get {$dada}.";
That is what I get since your string looks to be a php variable.
EDIT:
<?php ?> is used when you want to tell the PHP interpreter that the code in those brackets should be interpreted as PHP. When working within those PHP brackets you do not need to include them again. So as you would just do this:
// You create a string:
$myString = "This is my string.";
// You decide you want to add something to it.
$myString .= getMyNameFunction(); // not $myString .= <?php getMyNameFunction() ?>;
The string is created, then the results of getMyNameFunction() are appended to it. Now if you declared the $myString variable at the top of your page, and wanted to use it later you would do this:
<span id="myString"><?php echo $myString; ?></span>
This would tell the interpreter to add the contents of the $myString variable between the tags.
Use token_get_all() on the string, then look for a T_OPEN_TAG token, start copying from there, look for a T_CLOSE_TAG token and stop there. The string between the token next to T_OPEN_TAG and until the token right before T_CLOSE_TAG is your PHP code.
This is fast and cannot fail, since it uses PHP's tokenizer to parse the string. You will always find the bits of PHP code inside the string, even if the string contains comments or other strings which might contain ?> or any other related substrings that will confuse regular expressions or a hand-written, slow, pure PHP parser.
I would consider not storing your PHP code blocks in a database and evaluating them using eval. There is usually a better solution. Read about Design Pattern, OOP, Polymorphism.
You could use the eval() function.