Register | Login
Views: 19364387
Main | Memberlist | Active users | ACS | Commons | Calendar | Online users
Ranks | FAQ | Color Chart | Photo album | IRC Chat
11-02-05 12:59 PM
0 user currently in Programming. | 3 guests
Acmlm's Board - I2 Archive - Programming - Any way to do this in PHP? | |
Add to favorites | "RSS" Feed | Next newer thread | Next older thread
User Post
HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 5079/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours
Posted on 06-19-05 02:03 PM Link | Quote
I've set up my website with a PHP-base automated news system which is quite nice. The code basically just opens up a text file and does this:
while (!feof($file))
{
$text = fgets($file, 4096);
echo $text."<br>\n";
}

I'm looking for a way that I could embed PHP code in the file. That is if I stuck something like in the text file it would execute the code and just output 'test' rather than outputting the PHP code itself.
[edit] Forgot to escape a <br>.

I'm gonna murder that <code> tag, I swear. Just as soon as I figure out how...


(edited by HyperHacker on 06-19-05 03:44 PM)
(edited by HyperHacker on 06-20-05 12:15 AM)
Ramsus

Octoballoon
Level: 19

Posts: 107/162
EXP: 34651
For next: 1126

Since: 01-24-05
From: United States

Since last post: 39 days
Last activity: 71 days
Posted on 06-19-05 04:03 PM Link | Quote
If your $file variable is tainted (i.e. comes from outside the script, like a $_GET variable), then check it first. For example, suppose we only want names with letters, numbers , and dashes (which should be very secure):

preg_match('/^[\\w\\d_\\-]+$/', $page)) or die "Error: invalid page name.";

Add a folder prefix (since we don't want to messy up our toplevel) and a .php extension (so users can't stumble across the PHP code):

$page = "some_folder_for_pages/" . $page . ".php";

Make sure it exists.:

file_exists($page) or die "Error: page does not exist.";

Then run include as follows, which evaluates any PHP code in the file:

include($page);


Even if you just use regular file functions, remember to taint check.


(edited by Ramsus on 06-19-05 07:05 AM)
(edited by Ramsus on 06-19-05 07:06 AM)
HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 5087/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours
Posted on 06-20-05 12:44 AM Link | Quote
Yes, I check that... The file comes from a directory listing which the user has no control over though, so it's not especially important. The main issue is leaving the system intact - if I just include the file, it won't work the way I have it now. My code reads one line and assigns it to one variable, another line to another variable, and then prints all the rest of the lines. Plus as an unxepected but nice side-effect of printing a <br> after each line, line breaks in the file get translated to line breaks on the page... Neither of these would be possible if I just included the file directly.
King_Killa

Koopa
Level: 15

Posts: 43/117
EXP: 15096
For next: 1288

Since: 06-13-05
From: Shangri-La

Since last post: 37 days
Last activity: 18 days
Posted on 06-20-05 01:07 AM Link | Quote
you'll probably need to use EVAL();

Use the regex to seperate PHP from text, and eval the php code.


(edited by King_Killa on 06-19-05 04:07 PM)
Ramsus

Octoballoon
Level: 19

Posts: 108/162
EXP: 34651
For next: 1126

Since: 01-24-05
From: United States

Since last post: 39 days
Last activity: 71 days
Posted on 06-20-05 01:23 AM Link | Quote
Just buffer the output. Next time list any extra requirements or show the related code if you want better suggestions.

<?php
$lines = array();

function breaklines($buffer)
{
global $lines;
// Save the first few lines in a global array.
$lines[] = strtok($buffer, "\n");
$lines[] = strtok("\n");
$lines[] = strtok("\n");
// Replace newlines with HTML linebreaks
return str_replace("\n", "<br />", $buffer);
}

// Set some variables for the included script to use
$title = "Some title.";
$name = "Some name.";

ob_start(breaklines); // Start buffering output and send it to breaklines()
include("content.php"); // Include the content PHP file. It gets parsed normally, but the output is buffered and sent to breaklines()
ob_end_flush(); // Get the result from breaklines() and send it to the browser


// Note that breaklines saved the first few lines in a global array
echo "

And the first three lines we saved are:"
. $lines[0] . "<br />"
. $lines[1] . "<br />"
. $lines[2] . "</p>";

?>

King_Killa

Koopa
Level: 15

Posts: 44/117
EXP: 15096
For next: 1288

Since: 06-13-05
From: Shangri-La

Since last post: 37 days
Last activity: 18 days
Posted on 06-20-05 01:38 AM Link | Quote
Oh yea, that'll work better than eval. I was thinking of when I stored PHP code in an SQL table, and got it running.
Ramsus

Octoballoon
Level: 19

Posts: 109/162
EXP: 34651
For next: 1126

Since: 01-24-05
From: United States

Since last post: 39 days
Last activity: 71 days
Posted on 06-20-05 01:56 AM Link | Quote
I thought about eval too, but then I saw how PHP implemented it and immediately looked up buffering instead (I saw a few examples of using ob_ functions a year or so ago from an article that PHP Savant pretty much grew out of).

eval sounds useful for small bits of PHP code, but for a large file, include is about as fast and efficient as readfile, while still evaluating the PHP code. That's part of the reason I try to use it in place of other methods whenever possible (along with functions like str_replace and explode).


(edited by Ramsus on 06-19-05 04:57 PM)
Add to favorites | "RSS" Feed | Next newer thread | Next older thread
Acmlm's Board - I2 Archive - Programming - Any way to do this in PHP? | |


ABII


AcmlmBoard vl.ol (11-01-05)
© 2000-2005 Acmlm, Emuz, et al



Page rendered in 0.007 seconds.