i've been having problems trying to write attributes of xml files using php in mac. Now, the weird thing is that it works flawlesly on windows, but when i try to run the script in a mac, for some mysterious reason beyond me, it keeps writing the atributes of the xml file with dashes, this is the actual xml file that the script writes:
<stuff id=\"stuffid\"></stuff>
this is php code, really basic script:
$file = fopen("data.xml","w");
fwrite($file, $xml);
fclose($file);
can anyone lend a hand?, i've been looking for a solution to this all morning, im using mamp by the way
if the XML is coming from an external source as a string, my best guess is that php is mis-configured, in this case it's probably the magic_quotes_gpc setting, which should be set to "Off"
You probably have magic quotes turned on. Try this:
if(get_magic_quotes_gpc())
$xml = stripcslashes($xml);
Learn more at http://php.net/manual/en/security.magicquotes.php
have you considered using the DOMDocument class or SimpleXML class to construct your document?
It'll handle all this stuff for you...
Related
I have a website where users can upload files to share with others. But first I need to verify them.
Lately someone uploaded a .php file with the following commands:
‰PNG
<?php
eval(gzinflate(base64_decode("very large strings of characters")));
?>
I figured it might be harmful, so I didnt open it.
Does anyone have any idea what it does?
nobody can tell you, just do
<?php echo gzinflate(base64_decode("very large strings of characters")) ?>
to see what it would do....
edit: well now that you've posted the whole string i decoded it and pasted it here
Seems like the attacker's code was base64 encoded and gzipped.
So first the code is decoded from base64 encoding, and then it is unzipped basically until a string of code.
And then eval is called on the resulting string, which will execute the code that has been decoded and unzipped.
But without seeing what code gets generated, it is hard to say what it will do when the code is run.
I decoded the encoded text. Using the following approach
(I guess writing to file was a bad idea now that I think of it. Mainly if you're on Windows. I guess it is a bit safer on Linux with the execute bit turned off. So I was kind of lucky in this case!)
<?php
$test = gzinflate(base64_decode("encoded_text"));
$myFile = "testFile.txt";
$fh = fopen($myFile, 'w');
fwrite($fh, $test);
fclose($fh);
I wrote the output to file just in case there was some random html or javascript that could infect my computer if I just echoed it to my browser. That may be why you got an anti-virus warning.
I'm not sure what it does yet.
Just skimming through the code, which is like 4,750 lines of code, it seems like it sets up Basic Auth. And then there's a lot of database functions and some basic html interface. This in PHP. There's also some perl too. Near the end.
Basically what it seems to do is this: Every page where that image is displayed it will output parts of that code and execute it along with your code, and it will try to get input data, or try to find session data and or database values.
Then other parts of the code basically create an admin interface when the url is visited like this: url?admin=1, which brings up a Basic Auth authentication. And then there is an simple interface phpmyadmin like interface where the user can try out different queries and gather out metadata about your db. Probably other stuff run to exec, etc too.
I could be wrong, but that's the gist I get from going through the code.
The code is fine the only thing you need to take care is the long string that is encrypted
< ?php eval(gzinflate(base64_decode("very large strings of characters")));
for the reference of this kind of the statement you can refer to
http://php.net/manual/en/function.gzinflate.php
I have and input XML file that is not correctly formatted ( ie. it has '&' instead of '& amp;')
When i try to load this XML using PHP DOM, $doc->load("file.xml") it throws and error and stops the parsing.
Is there any way to load this un-formatted XML? and No I cant edit the source XML file.
I did try using $doc->loadHTML() but it throws errors all over the place.
I wanted to know if there is a proper way to do this (like load file contents and change it using regex or something similar)
Try setting $doc->validateOnParse = false; before loading your XML via $doc->loadHTML(...).
First, check that it's the & that's causing the error and not something else.
One way or another, you'll have to modify the XML to get it parsed. The HTML in loadHTML is loaded from a string, can't you just replace the invalid characters with the correct ones?
If your installation supports the PHP Tidy extension (http://php.net/manual/en/book.tidy.php) you could try to clean it up with that, though in my experience it's far from foolproof.
If you are sure that's the only thing making it not validate, then you could try loading the file into a string with file_get_contents() function, then search & replace through the string to change the &'s into &'s, then place that string into simpleXML like $xml = simplexml_load_string($cleaned_string);
I am completely lost with encoding issues, I have no idea what's going on, what the problem is exactly and how to fix it.
Basically I'm just trying to read an HTML file from a Zip file, parse it then output pieces to XML. Now something funky is happening with the text I get out of the parser.
When parsing the HTML, instead of a space I get á only if I write to the screen. If I keep it in a variable and write to a file it looks fine in the file. However even though it looks right in the XML something is wrong with it, my PHP parser can't parse that XML nor does IE seem to like it.
I had to first mb_convert_encoding($xmlcontent, "ASCII"); so I could get that XML to parse in PHP.
Any idea what my problem is?
extract HTML from a .tar.gz file using Perl
my $tar = Archive::Tar->new;
$tar->read("myfile.tar.gz");
$tar->extract_file('index.html', 'output.html');
load HTML, this is where it starts to get funky, I get output like Numberáofásourceálines
my $tree = HTML::TreeBuilder->new;
$tree->parse_file('output.html') or die $!;
$tree->elementify;
write to XML
my $output = new IO::File(">output.xml");
my $writer = new XML::Writer(OUTPUT => $output, DATA_MODE => 1,DATA_INDENT => 2);
If it looks correct when you write it to a file and wrong when you write it to the terminal, it sounds like your terminal is expecting the wrong encoding. Check your terminal settings.'
Also, see Jon Rockway's answer to "Why does modern Perl avoid UTF-8 by default?". With encodings, you have to convert your input to the correct encoding and convert your output to the correct encoding. Everything that looks at the data needs to know which encoding you're using.
I think I just fixed it by processing this on the html before parsing it, thanks for all the great pointers!
s/\ \;/ /g;
I've got PHP and HTML code stored in a database table. When I get this data, I need to echo the HTML and process the PHP. I thought I could use eval() for this, which works, if I do this eval("echo 'dlsj'; ?> EVALED "); I get "dlsjEVALED" printed out.
The problem is, I get a fatal error when I run longer scripts. Things like:
Parse error: syntax error, unexpected '<' in /home/content.php(18) : eval()'d code on line 1
Best advice - never store php and html code in your database. And avoid eval() like the plague.
I can't really tell what's wrong with your code, as you haven't provided enough information. But even if I did have some advice, I don't think I could give it in good conscience.
You should redesign your whole application so that it doesn't require storing such things in the database. I can't imagine why it would be necessary.
just right der...........
eval('?>' . $content .'<?php');
You need to re-open php mode after the EVALED. Apparently you have to do this with <? rather than the full <?php.
As a rule eval is to be avoided. But rules are made to be broken. There's a thread at When is eval evil in php? that gives some less dogmatic advice.
Depending on what you want to do, it might be suitable to use a template file that you source, with text that will vary stored in a local variable prior to sourcing the template.
As for storing code to be executed in the DB... this does happen in some frameworks like Drupal to provide convenient extensibility, but then Drupal is pretty thoroughly scoured for security weaknesses.
Also if you're writing self-modifying code then you need to use eval(). Not sure if anyone has done that in php but it would certainly be interesting.
I would guess that you're trying to eval() something that contains an opening <?php tag. And that leads to the error at hand.
$contents = htmlentities($contents);
echo html_entity_decode(eval($contents));
I know how to do this in Ruby, but I want to do this in PHP. Grab a page and be able to parse stuff out of it.
Take a look at cURL. Knowing about cURL and how to use it will help in many ways as it's not specific to PHP. If you want something specific however, you can use file_get_contents which is the recommended way in PHP to get the contents of a file into a string.
$file = file_get_contents("http://google.com/");
How to parse it depends on what you are trying to do, but I'd recommend one of the XML libraries for PHP.
You could use fopen in read mode: fopen($url, 'r'); or more simply file_get_contents($url);. You could also use readfile(), but file_get_contents() is potentially more efficient and therefore recommended.
Note: these are dependent on config (see the linked manual page) but will work on most setups.
For parsing, simplexml is enabled by default in PHP.
$xmlObject = simplexml_load_string($string);
// If the string was valid, you now have a fully functional xml object.
echo $xmlObject->username;
Its funny, I had the opposite question when I started rails development