can i create a page with a simple text area form, which will be entered PHP CODE and then, when i click to submit, it executes it? just like a Script page?
and most of all it is secure to put it? even in a admin protected page?
thankyou!
You sure can:
eval($_POST['txtScript']); //post method, with textarea named txtScript
However, it is extremely dangerous to permit this. Someone could wipe the current working directory via array_map("unlink", glob('*.*')); among the many, many other malicious things that could be done.
If you are allowing someone to author PHP code on a form and then, on submission, taking that PHP code and executing it, you're opening yourself up to HUGE, HUGE security risks. Is it possible to do? Sure, but I would highly recommend against doing it.
If you're absolutely sure you need to do this, read about the eval function. PHP: eval
you want to use PHP:eval, and no it is not safe even behind a login wall. Better put some predefined function that can be logged.
And of course, by definition anything you put as accessible is quite unsafe anyway.
Related
I have an ajax.php file to which all of my ajax calls point with an extra parameter of the script the current call demands to execute. My problem is that I want to limit some scripts to being executed by specific pages only, say for example sendComment.php should only be called from www.mysite.com/user/{any user}.
What I have done is put this code on top of every script that I want to limit:
if(strstr($_SERVER['HTTP_REFERRER'],'mysite.com/{page_allowed_to_exec_script}'){
Then do stuff here
}
But what I've come to notice is that not all browsers support the HTTP_REFERRER ( I might have spelled that incorrectly, I'm writing this by memory ), and as well as not being cross-browser it's also a pain in the butt having to hardcode this stuff in all of the files and is going to be an even bigger pain when it comes to changing stuff.. I'm looking for a way I can possibly have all the scripts in an array with all the pages that are able to execute them, and perform a check in the ajax.php file at start.
Does anyone have any idea how this can be achieved?
Even all browsers may not send "referer" because of some kind of "proxy","firewall" or "security" suite strips it out or even changes it.So you can trust on it.
If you control the referring page you can use sessions, cookies or the URL to pass the information if you feel it's that vital. If it's absolutely vital, your only option is sessions. The other two can easily be removed.
I have a jQuery console that I'm writing and I'd like to keep a log of what people type in there at what time with their IP address, for security reasons. I don't want to make the log public, but the console itself is supposed to be a fun sort of thing and isn't in a protected folder.
I want to put the log into my protected admin folder, but can I send Ajax data to a PHP file inside the protected folder or it will still prompt for the username/password?
I've already tried outright making the log itself in the folder from an external PHP file, but it doesn't work, hence why I'm wondering if it will work if the PHP file is inside the protected folder.
On a similar note, do I even need to bother with keeping a log? Like I said, it's for security purposes, but I don't know if it's necessary. As far as I know, with the way I've coded the console, it doesn't accept any input outside of the commands I've written. I'm still worried about things like SQL injection and the like.
Sorry for the long-winded question, and thanks in advance.
Why not create a database to store this sort of data? That way the data is not accessible to the users, and it is also stored nicely for anything you want to do with it. With this approach you could have you PHP page in a publicly accessible place too.
I would suggest PHP Data Objects for security if you choose to take this approach.
The question is worded a bit strangely, but I couldn't figure out any other way. I'd like to know if there is a better model for doing this. Here's what I have now:
Say I'm editing a user on my application. I submit the form, and it POSTs to apply.php?ref=edituser. Then on apply.php, it has a large conditional to determine which settings are being submitted, based on the ref variable, at which point it runs that part of the script. If it succeeds or has an error, it uses header("Location: uedit.php") to return to the previous page, also setting $_SESSION['err'] with the error code. That page checks to see if the error code is set, and displays and unsets it if it is.
I feel like I might have too much in a single script. Any opinions on this?
Do multiple forms submit to it?
As a general rule a form doesn't submit to a model a form submits to a controller in the MVC structure. The controller then decides how it should handle everything. But if you comment everything well and don't think it is to much I wouldn't worry about it.
Depends on your style. Website I'm working on only uses 2 main php files. Only thing I would recommend is to make sure you comment well
The cons with this kind of system is like mentioned before, it can be hard to keep track of all code in a logic way.
An other con is that php is an interpreted language which means that the whole file need to be parsed on each run. That means that if you separate the code into different files instead of building a big one you will gain performance. But of course, if it is not to big it won't matter.
So hopefully someone with admin privileges will see this and delete it for me.
From a semantic standpoint, you should go with hyperlinks in the HTML using the anchor tag. However, if the variables you need to pass contain critical information that you cannot risk being modified, you could consider using jQuery to POST the information instead. The disadvantage to using just JavaScript would be, of course, if JavaScript was disabled.
You could do both methods, however. If you place an anchor tag with GET variables and then use jQuery to attach a POST onclick, the JavaScript would trump the href. This way, under typical circumstances, the variables would be POST'ed. Under circumstances when JavaScript is unavailable, the variables would be GET'ed. You could then check in your PHP script that is processing the data which one happened (POST or GET) and with GET, do some extra error checking or processing to make sure the data is exactly what you expect. Of course, the big disadvantage to this is having to main the hyperlink and JavaScript URL in two places if anything changes.
EDIT: Reading this again, I started to think: Quite honestly, if you go with my suggestion and write extra error checking or processing code for the GET, it wouldn't hurt to run it on the POST either. And if that's the case, you might as well just do a GET and skip the JavaScript. It'll save you the overhead.
Apologies, this is a tragically simple question that will bore most of you.
I need to implement the simplest "leave your email and we'll contact you" web page. The simplest thing I could think of is doing an HTML form which calls a PHP script which appends the data in some file on the server. Easy to implement, but now I'm wondering if it's totally hackable. Is it? Are there obvious better ways that are still simple?
thanks
f
By hackable, do you mean could someone damage your file? Or read it? Or...? If I wanted to do what you said, I'd do this:
<?php
if(isset($_POST['submit_button_name'])){
$email = htmlentities($_POST['email_address_field_name'], ENT_QUOTES);
$handle = fopen("email_list.txt", "a");
fwrite($handle, "\n".$email);
fclose($handle);
}
?>
<form> ... </form>
It would be private in the sense that someone wouldn't know where to find it, and safe because I've used the htmlentities() function to remove any possible XSS.
It's all right, but you may find a full database or SQLite a better option.
Just make sure you put the file in a place that's not accessible to the other users (e.g. outside the web server root or in a protected directory), otherwise everyone would be able to see the comments.
If you do decide to use a database (which I would, if you can: http://www.w3schools.com/PHP/php_mysql_intro.asp), make sure you sanity check all of your data (http://php.net/manual/en/function.mysql-real-escape-string.php) before you insert it into the database.
I would use a database as it makes it many times easier to analyse your data or even output in in a nice format on the page.
There are a few things you could do. First of all, since you're recording an email address, you could just use PHP's mail() function to send an email to somewhere centralized.
This sounds like a beta signup page, and a file would be ok if you don't have a database available. Just make sure that the file is stored outside of the served folder (above public_html, for example).
Also make sure that you regex or clean the data so that someone can't use it as a zombie form for spamming. Just cut off the email address input after the first \r\n and that will fix it.
Whatever solution you choose (file, database, email, etc.), the safety will depend on the way you implement it:
How are you filtering the input?
How many submits do you permit per ip address?
etc.