I'm integrating a framework (Kohana 2.3.4), into a web-app (IPB 2.3.4/2.3.6) via a third party bridge library (IPBWI 2.07), and I began seeing the string NOT FOUND at the top of the web-page output.
How can I turn that message off?
I narrowed it down to a call to class_exists(...) in IPB. The call is working correctly, except for the printing of the "NOT FOUND" message. When executed by itself (not invoked by Kohana via the IPBWI) the message is not printed. What is strange is that I've identified calls to the same method in Kohana which are invoked earlier, but do not print the message.
echo 'Calling class_exists<br>';
if ( ! class_exists( 'db_main' ) )
echo 'class_exists returns false<br>';
...
results in:
Calling class_exists()<br>NOT FOUND<br>class_exists() returns false<br>
Note that it is not only printing 'NOT FOUND' but following it with an html <br> tag as though intended for runtime debugging.
I'm not very familiar with PHP, but is there some global debug setting that is being enabled? What sorts of flags should I check?
I don't think that internal functions, such as call_exists() will output that kind of debug message.
But note that, by default, calling class_exists for a class that's not be defined yet will result in the autoloader being called.
If there is an autoloader set somewhere in your application, maybe that autoloader is echoing "NOT FOUND" when it's not able to autoload a class.
For more informations about autoloading, see :
Autoloading Classes
spl_autoload_register
Now, to be sure, and know where this autoloader is defined, and what it's doing (and, possibly, find a way to remove that message), you could search for "NOT FOUND" in all the source files of your project -- it's a bit of a brute-force solution, but it often help ;-)
Related
I am investigating a still undiscovered zero day exploit in Revive Adserver. An attack happen on one location and the attacker was able to invoke an eval which was already in the development and production version of Revive Adserver code base.
I have investigated the access_logs and they indicate the user was doing a POST attack on delivery script fc.php but the payload of POST still remains unclear.
The code base of Revive Adserver is very mixed, old and weird at times. There are lots of points where an eval is called in the code, and one might find something like:
$values = eval(substr(file_get_contents(self::$file), 6));
Which is actually a Smarty template thing, but it looks really scary.
As mentioned, lots and lots of eval appearances are throughout the code and it would take a whole lot time to go through each one at this time.
Is there a possibility to override eval function in PHP to display some trace information, i.e. from which file it was called, on which line did it occur?
If not, is it possible to do this by modifying PHP's C/C++ source code and recompiling it altogether?
Or is there a PHP extension or some tool which can trace all eval callbacks throughout a script?
And if there's no such thing, it would be great if someone would develop it since it would speed up investigating malicious code containing eval's.
is there a possibility to override eval function in PHP to display some trace information, i.e. from which file it was called, on which line did it occur?
Sort of.
You can add eval to disable_functions in php.ini. Then when you call eval you'll get the fatal error function eval not found or such.
Then with a custom error handler.
set_error_handler(function($errno, $errstr, $errfile, $errline){
if(false !== strpos($errstr,'eval')){
throw new Exception();
}else{
return false; //see below
}
//debug_print_backtrace() - I prefer exceptions as they are easier to work with, but you can use this arcane thing too.
});
Or something like that (untested).
Unfortunately you cannot redefine eval as your own function. Eval is not really a function, its a language construct like isset, empty, include etc... For example function_exists('empty') is always false. Some are just more "function" like then others.
In any case you'll probably have to disable eval, I cant really think of a way around that.
Tip
Don't forget you can do this:
try{
throw new \Exception;
}catch(\Exception $e){
echo $e->getTraceAsString();
}
Which both suppresses the exception (so execution continues), and gives you a nice stacktrace.
Tip
http://php.net/manual/en/function.set-error-handler.php
It is important to remember that the standard PHP error handler is completely bypassed for the error types specified by error_types unless the callback function returns FALSE
So given the above, you can/should return false for all other errors. Then PHP will report them. I am not sure it really matters much in this case, as this isn't really meant to be in production code, but I felt it worth mentioning.
Hope it helps.
Consider the following PHP template:
<?= var_dump($myVariable) ?>
This is rendered with the following controller code:
public function myAction() {
return $this->render("MyBundle::test.html.php");
}
Obiously, our variable $myVariable is not set in the template. When looking at this page in the dev environment we get an exception telling us that this variable is not defined. When looking at the page in the prod enviroment we get the output null.
I have debugged this for quite a bit but have not found the place where Symfony decides which variables need to be initialized with null. What happens behind the scenes is that Symfony calls export on the array of view variables (which is empty in our case) and then calls require on the view template itself. Funnily enough, when debugging the view, the variable is never defined, neither in dev nor in prod. But still there is different output for these two environments.
So my questions are:
How does Symfony do this?
Is this intended behavior?
Is this documented somewhere and I just missed it?
Is there a way to change this behavior so that it will also fail in prod and write an error to the log file?
I've only just started with PHP and Symfony, but it seems to me it goes something like this:
Symfony will call the require on the template
Your template starts executing
PHP tries to evaluate $myVariable
PHP will trigger E_NOTICE level error as described in PHP Manual
Here is where different environments come into play. Error level, which is defined under debug.error_handler.throw_at key in debug.xml is -1 (ALL) for dev and 0 (NONE) for prod. So for dev the ErrorHandler in Symfony will throw, for production it won't.
I have a new project to inspect and manage. It is written with ZF1.
There are views, contained in .phtml files which contain following code:
echo $this->partial('error.phtml', array('error'=>$this->error));
My issue is that no business logic, controller code or other application code sets
that error variable explicitly. I am hunting it down and need to figure out if this
error is set by Zend Framework itself.
My main lead is the CallbackHandler.php in Stdlib folder. It seems to be responsible for setting
an error flag to true, when its errorHandler is executed. Problem is that I'm not sure.
My second guess is that it is dead code and if $this->error is simply not used anywhere.
Any guesses ?
It depens on kind of displayed error.
For system errors write something like ErrorController and redirect to error page after handling of exeption(in dev mode you can add displaying of stack traces, etc).
For form validation "errors" there is build-in instruments to display it in forms.
I'm analyzing some PHP code which is running on a server I don't have full access to. I can read the phpinfo though. The code seems to run fine on the server. In my local environment I just can't get the code to run as I get a "Catchable Fatal Error" at some call of a method using type hinting.
someMethod(string $str) {
// Do something...
}
The error says the following: "Argument 1 passed to ... must be an instance of path\of\namespace\string, string given ...".
There is no use keyword with a string class nor can I find anything trough a grep command in the folders of the development environment.
Are there any PHP modules, extensions that can make such a type hinting work? The server and my development environment are using PHP 5.4.25.
What could the live system possibly provide to make such code run? Might it use some other programming language based on PHP like Hack? The rest of the code is pretty straight PHP!
You mention that there is no use statement or namespace declaration that alludes to a 'string' class in the code. Does the code use an Autoloader?
Two possible issues at hand here:
Paths - It is possible that the live environment has another path set up, and/or that a file/class is being loaded/searched for via this 'other path' (outside the code you may be looking at).
Error Handling - Another possible cause is if there is an error handler in the production environment that always returns true.
I had this exact issue where a type-hint wasn't resolving in development, but I didn't realize until we pushed it live and the error handler was no longer registered.
Obviously a fatal parse error can not be stopped, but it turns out a catch-able error can be ignored if the error handler returns true. And this is what I am putting my money on in your case.
Additionally, it is very important to note that there is no way to type-hint a scalar, as one user pointed out.
A simpler way to say it is "it is not possible to type-hint anything that can be represented by a string." This is due to the way in which PHP handles it's more primitive variables, they can all be type-cast to one another, and therefore (because 1, "1" and true can all be == 1, == '1' and == true) it is not actually possible for the interpreter as it is written to actually catch and enforce scalar type-hints.
Answer this question: Is that variable supposed to be $str = "something"; or $str = new string(); (ie, a string or an object)?
If it is supposed to be a string, remove the type-hint, as nothing in PHP allows this support (save for HHVM, but you would know this if you were using it).
Since you say you do not have access to the code, I suggest notifying someone who does.
I run into this problem periodically, and I'm trying to figure out if it's a configuration issue or a peculiarity with PHP.
Basically, there will be a function foo() defined somewhere in my code, and then elsewhere I will accidentally define a function again with the same name foo(). I would expect an error of some kind to be thrown, e.g. "Fatal Error: Function already defined line 234, bar.php blah blah".
But I get nothing. I just get a blank screen. Debugging can take an eternity as I try to pinpoint exactly where the function is being accidentally redefined, without help from an error message.
My config settings for reporting errors are set to E_ALL, and I see all other kinds of errors without a hitch.
Any insights? Is there anything I can do to cause PHP to report these errors (so that I can either rename the offending function or wrap it in an if function_exists() clause)?
Edit: To be clear, I understand the many strategies to avoid namespace collisions in PHP. I'm talking about instances where for whatever reason I accidentally name a function a name that already exists during development (or for example I import a file where a function has already been defined). I would expect an error message when this occurs, which would help me debug, but I do not get one.
You can wrap function definitions in a conditional function_exists():
if (!function_exists("file_get_contents"))
{
function file_get_contents(....)
....
}
works for me.
You could wrap a function_exists check around each function and have it throw an error message if it already exists. The better way however would be finding out why fatal errors don't appear on screen. Can you check phpinfo() for the error_reporting and related settings?
This is what you should be getting when trying to redefine a function:
Fatal error: Cannot redeclare file_get_contents() in D:\xyz\htdocs\test.php on line 5
From my phpinfo():
display_errors On
error_reporting 22519 (equals... well, I don't know but it shows errors :)
In some hosting environments when error reporting was turned off completely, I have found defining a custom error handler very helpful: set_error_handler()
Are you hosting the script on your local server? I know a UK based hosting company that prevent any PHP errors from being returned at all, even if you've set E_ALL.
If this is the case consider testing the app locally with error reporting turned on.
As an alternative, you can actually check whether a function is already there by using function_exists.
if (function_exists('foo'))
{
echo 'foo function exists !!';
}
else
{
echo 'foo function does not exists !!';
}
Some suggestions to make your life easier:
I typically will create a generic functions file, where I store all my global functions that I'll be using throughout my app.
I'll also try and remain as object-oriented as possible. PHP will give errors if you're creating an object that already exists, and by encapsulating your functions into logical objects you'll have an easier time maintaining it.
It seems you're not organizing your code properly, try using a common library that you include in your files, and define functions there. Perhaps you just need to start uses classes, then you won't have collisions when you have two functions with the same name.