Client Side PHP in Internet Explorer

By Harry Fuecks | July 14, 2004 | PHP

While messing with PHP 5.0.0 figured it’s finally time to take at Wez Furlongs Activescript SAPI for PHP. Will the madness never end? ;)

In brief Microsoft provide a mechanism in Windows to “embed” scripting engines (e.g. PHP) and thereby allow execution of code in other languages. More information can be found at MSDN on Windows Script Interfaces.

For PHP the best place for information is the extensive README.

Here’s a quick example which should probably work first time on Win 2000 / Win XP.

1. Download PHP 5 and unzip it somewhere (e.g. C:\php-5.0.0 – you need to create this directory!)

2. From a command prompt;

C:> cd php-5.0.0 C:\php-5.0.0> regsvr32 php5activescript.dll

That’s it. Now the fun begins.

Create a (plain HTML) web page like;

');
foreach ( array_keys($GLOBALS) as $global_var ) {
if ( is_object($GLOBALS[$global_var]) ) {
$document->write($global_var."
");
}
}

View the page in IE and away you go (you should see a list of objects you’d normally use from Javascript).

Now all we need is Microsoft to bundle it with IE ;)

Back to reality, where is actually might be useful is if you want to write Windows sysadmin scripts in PHP.

Update: when posting this thought it would be obvious that this is highly insecure. Make sure you read all the comments below before trying it.

Written By:

Harry Fuecks

Harry has been working in corporate IT since 1994, with everything from start-ups to Fortune 100 companies. Outside of office hours he runs phpPatterns: a site dedicated to software design with PHP that aims to raise standards of PHP development. He also maintains Dynamically Typed: SitePoint's PHP blog.

{ 37 comments }

Lieramedarees February 11, 2009 at 5:33 pm: Соберем для Вас по сети интернет
базу данных потенциальных клиентов для Вашего Бизнеса!!!
Много!!! Быстро!!! Недорого!!!
Название телефон факс e-mail www адрес имена итд
Узнайте подробности по телефону: +79133913837
ICQ: 6288862
Email: rassilka.agent@gmail.com
Skype: prodawez
wow.a.name June 19, 2008 at 10:55 am: Now I have a problem with PHP when I try to open a file on my hard drive. It says “Do you want to open or save ‘file.php’” or something like that. And when I say “Open,” it goes back to the dialog. When I go to a PHP file online, it just shows the page. Should I use as recommended or what?
Anonymous July 7, 2007 at 1:12 am: I don’t necessarily think client-side PHP is the way to go, but it would be nice if we had a unified platform for client-server development.. One Language to Rule Them All. :)
Dave April 29, 2006 at 8:14 am: 2 points to question in response to the comments in this article.
1. Security issues…what about comparing this to ActiveState’s ActivePerl or ActivePython distros that add those languages for use in IE and WSH? Are those more secure compared to this? ActiveState has provided those for a long time. I suppose someone could do viruses for Perl/Python and trigger it via IE, etc. for those that have it installed on Windows.
2. Has anyone considered using this PHP feature on the server side? After register PHP, the Microsoft IIS web server’s ASP engine now has access to PHP as the scripting language to use much like VBScript/JScript, etc. or Perlscript (via ActiveState). I’ve wanted to use PHP in ASP for a while, since PHP is cooler than Perl. This seems to be a neat idea to me.
SCTld01y7g February 1, 2006 at 1:24 pm: t6hxcxJlzP2 jnN4CfOnIwsb n8Zb7TD7KX
physicsnaw October 19, 2005 at 7:01 pm: the time will come where there is compiler which you can compile your php code into rpm or exe
prabudas June 22, 2005 at 7:47 am: I am creating html page dynamically using JavaScript in WinCE. Can I use PHP instead of JavaScript.
Stefann June 13, 2005 at 10:35 pm: Anyone hear of PHP-GTK bindings, it welcomes a whole new world into web application development.
Marcelo November 11, 2004 at 2:59 pm: Wouldn’t it be great if we had a php interpreter that works like a Java Virtual Machine, preventing direct acces to disk and all that stuff?
otto October 3, 2004 at 5:28 am: just a theory but. Using this method someone could embed it into an email and run arbitrary code on someones computer if they’ve enabled PHP. Possibly creating a virus.
Post-O-Matic August 14, 2004 at 1:11 pm: Client-side PHP scripting could have been very interesting for intranet ERP applications written with PHP, like the project I am working on right now.
The main problem being, of course, the issue of updating all clients. But if some reasonable solution for client side PHP scripting existed, being that WSH or PHP-GTK, I would immidietly move on towards exploiting it. The possibilities are enourmous.
Ben Vail August 12, 2004 at 2:55 pm: I beleive someone mentioned Java, they _meant_ JavaScript.. A common, and incredibly annoying, comfusion that really bugs me.. ;)^_^
..Other ActiveX thingies can already delete files, install adware, and generally screw things up, I fail to see how another method to do this is a big problem.. heheh :D
Cam July 21, 2004 at 7:30 pm: Since PHP4 shipped with a php4activescript.dll I’d imagine this functionality has been available for a while would I be right?
In regards to your average virus setting this up, chances would be slim. Only a small percentage of the population at large would have PHP installed on their computers and the paths to where phpXactivescript.dll could be found would vary greatly. Virii are designed to be small to get in and do their business undetected so the writer of one that included the DLL or even tried to remotely get it would either be very talented or very stupid.
Spyware is another story but with the updates in SP2 on the horizon spyware will get a wakup call. IE wouldn’t even install the software for Windows Update without my express approval and even then no notice showed up, I had to click the button in the bar at the top to approve the download and refresh the page.
alec July 21, 2004 at 4:20 pm: Client-side PHP would be essentially useless for inexperienced computer users. Yes, one could write potentially useful client-side applications, but the client would have to configure his or her own security options and choose whether to allow or disallow certain actions. Average web users, my parents for instance, can barely manage their email inbox effectively. I highly doubt they could appropriately make use of such technology as a powerful yet customizable scripting environment.
Benny T July 21, 2004 at 7:24 am: Im not too much of a nut but wasnt one of the reasons to having server side php the security side of things, being client side it would be quite easy for some idiot to exploit the shit outta it
THUMBS DOWN FROM THE T!
PictorieN July 21, 2004 at 7:11 am: Lets Just Say.
PHP Is Now Officialy A Hackers Paradise!
Php held so much power being server side. Now bringing it to client side. I can See a whole new generation of virii/spyware.
Even a virus or piece of spyware could install php5activescript.dll and run wild!
johnm July 17, 2004 at 2:32 pm: One (semi) positive way that this could be used in in the development of interactive desktop environments using Active Desktop. Now before a flame-fest, I’m mereley pointing out that there are still a lot of people that do in fact use AD, and most that develop for AD have to use various JavaScript incarnations that more often than not don’t work properly, and I think that utilizing PHP would allow more robust options to those users.
rickwright July 15, 2004 at 4:11 pm: RE: How could this be a security risk?
while (($file = readdir($dh)) !== false) {
unlink($dir.$file)
}
// Good manners
closedir($dh);
I think in this case good manners are especially important!
Widow Maker July 15, 2004 at 1:19 pm: The whole idea is completely bonkers :lol: Microsoft has had software in all forms released for years, and there are still security holes in it.
Adding a dynamic powerful scripting language like PHP to their [Microsoft] software is just asking for trouble in my view.
And just how useful is it going to be ? As mentioned it ain’t gonna work for the average web user, and I can see very few business models requiring this, whereas Java would not be an option anyways, as I said before.
HarryF July 15, 2004 at 7:35 am: I know its highly unlikely but my point is that it would be possible right?
True so I guess everyone should be careful. Personally not worried as have IE primed to alert when a page needs ActiveX and I’m not using IE anyway.
But the reverse operation to remove the PHP ActiveScript host is;
regsvr32 /u php5activescript.dll
Luke July 15, 2004 at 6:30 am: Just a thought, but if you do ‘regsvr32 php5activescript.dll’ on your machine for admin purposes wouldn’t that then expose you to malicous client-side PHP attacks through IE whilst using the web.
I know its highly unlikely but my point is that it would be possible right?
HarryF July 15, 2004 at 3:59 am: How could this be a security risk?
You’ve got full access to all of PHP’s functions e.g.
HarryF July 15, 2004 at 3:40 am: Think it’s worth saying, before anyone takes this too seriously, that that PHP in IE is another “2.5″ on Wez’s Evil Plans For World Domination and here’s one reason why…
Hmmm, keeps crashing internet explorer for me..
And it most definately would be a security risk if available in IE.
Where this might have a use though, as mentioned, is for sysadmin scripts, through use of the Windows Scripting Host objects, for example if you create a file like;
Save it as example.wsf then run “cscript example.wsf” and you get the idea.
Seems you’ve pretty much got access to anything that provides a COM API in Windows, via the $WScript object. There’s a nice introduction (using VB – replace with PHP) here: http://cis.stvincent.edu/wsh/.
Cam July 15, 2004 at 1:48 am: You’d see the PHP code. It’s basically just Javascript with PHP syntax. It wouldn’t work for your average site though because the client needs to set it up.
Filip de Waard July 15, 2004 at 1:40 am: It would be nice if somebody wrote a plugin for Mozilla (Firefox) that includes this functionality and more JavaScript like stuff like CSS alteration (for hover effects etc). That way we won’t have to touch JavaScript anymore for our backend tools.
Wez Furlong July 14, 2004 at 8:21 pm: It’s a *huge* risk to run it in IE, since there is no sandbox. safemode is not good enough, and PHP allows your scripts to get away with doing just about anything.
I developed this SAPI while evaluating ways to embed PHP into windows applications, not to use in place of javascript (although it is in interesting side effect).
The main practical uses that spring to mind are either admin scripts (running under windows scripting host) or running under the MS scriptlet control and being embedded into a windows application that way.
mrsmiley July 14, 2004 at 6:53 pm: I believe Harry mentioned that a useful measure would be sysadmin scripts and I agree. Deploying it on a site would be too painful as everyone would need to install the sapi on their computers. So in that respect, the idea doesn’t have much merit (or at least until the day PHP rules the Internet)
On the security side of things, if you view source on the page, do you see the php code or the output of the php code?
Toby July 14, 2004 at 6:46 pm: Nice one! :) Maybe it’s possible to wrap PHP into a plugin for IE…
sevengraff July 14, 2004 at 6:42 pm: seems like a great tool if you want to write a simple program, and PHP is all you know.
john July 14, 2004 at 5:43 pm: Oh i forgot there is a project for php client side in mozilla.
http://www.thomas-schilz.de/MozPHP/README.html
john July 14, 2004 at 5:37 pm: insert php scripts for deleting files, but i think this would be good for intranets if it was in linux rather than windows of course.
Jake July 14, 2004 at 2:38 pm: I see both sides to this, but I have to ask. How could this be a security risk?
DemonX July 14, 2004 at 1:19 pm: Java isn’t a scripting language. PHP is alot better then Java for this.
Widow Maker July 14, 2004 at 12:06 pm: I don’t really like this :(
1) Microsoft being the main issue for me
2) PHP is a server side language and I like it that way. Another language would be better placed, ie Java for example ?
Nope, sorry Harry, but this idea sucks big time :)
Andrew-J2000 July 14, 2004 at 12:01 pm: Hmmm, keeps crashing internet explorer for me..
Andrew-J2000 July 14, 2004 at 11:49 am: Nice one, I looked into this a while back…
Creating Protocol for PHP
Rynoguill July 14, 2004 at 11:31 am: im not sure im understanding this correctly, but wouldn’t this be a pretty big security risk?