SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    echo php code from a string

    I have a cms system where a client has requested that they be able to enter php snippets within the html content.

    This would be in the following format:

    HTML Code:
    [PHP]echo.php[/PHP]
    or

    HTML Code:
    [PHP]echo "<h4>here is some php code</h4><p>lets see if it works</p>";[/PHP]
    if the tag ended in .php I know to include it as a file otherwise I was planning on just evaluating the content.

    $Product_Details is being set from content in my DB.

    Example string from the DB:

    HTML Code:
    [PHP]echo.php[/PHP][PHP]echo "<h4>here is some php code</h4><p>lets see if it works</p>";[/PHP]<br /><p>&nbsp;</p><p><strong>test</strong></p>
    I have various functions as follows to help me find all the tags within a string and return them as an array for me to then replace them with the php code:


    HTML Code:
            $string=$Product_Details;
            $delimiter="[php]";
            $delimiterto="[/php]";
            $arrpos=array();           
            $arrpos=getSelectiveContent($string,$delimiter,$delimiterto,$exclude="");
            $arrsize=sizeof($arrpos);
            for($i=0; $i<$arrsize; $i++)
            {
                if(stripos($arrpos[$i],".php")>=0){
                 $Product_Details = str_ireplace("[php]".$arrpos[$i]."[/php]",'<?php include ('.$arrpos[$i].'); ?>',$Product_Details);
                }
                else
                {$Product_Details = str_ireplace("[php]".$arrpos[$i]."[/php]",'<?php echo eval('.$arrpos[$i].'); ?>',$Product_Details);}    
            } 
    
    function getSelectiveContent($content,$from,$to,$exclude="")
    {
        $return = array(); // array for return elements
        $size_FROM = strlen($from); 
        $size_TO = strlen($to);
    while(true)
    {
        $pos = stripos($content,$from); // find first occurance of $from
        if( $pos === false )
        {
            break;  // if not exist break loop
        }
        else
        {
            $element  = extractor($content,$from,$to); // fetch first element
            if($exclude == "")
            {
                if( trim($element) != "" )
                {
                    $return[] = trim($element);
                }
            }
            else
            {
                if(trim($element) != "" && !strstr($element,$exclude)) // if nothing in range, and exclude is not in it
                {
                    $return[] = trim($element); // put fetched content in array.
                }
            }
            $content = substr($content,$pos+strlen($element)+$size_FROM+$size_TO); // remove $from to $to from content 
        }
    }
    unset($content,$from,$to,$element,$exclude,$pos,$size_FROM,$size_TO);
    return $return;
    }
    
    
    function extractor($str,$afrom,$ato)
    {
        $from_pos = stripos($str,$afrom);
        $from_pos = $from_pos + strlen($afrom);
        $to_pos   = stripos($str,$ato,$from_pos);// to must be after from
        $return   = substr($str,$from_pos,$to_pos-$from_pos);
        unset($str,$afrom,$ato,$from_pos,$to_pos );           
        return $return;
    
    }
    Then I was simply outputting as follows:

    PHP Code:
    <?php echo $Product_Details;?>
    The outputted html is as follows:

    HTML Code:
    <?php include (echo.php); ?><?php include (echo "<h4>here is some php code</h4><p>lets see if it works</p>";); ?><br /><p>&nbsp;</p><p><strong>test</strong></p>
    But it doesn't render any of the php, what am i doing wrong as what I am asking does it make sense?

    Thanks

  2. #2
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    Echo does not Evaluate the code.
    This is a MAJOR security hole. I highly, HIGHLY recommend you discourage your client from doing this. Ever. Evereverevereverevereverevereverever. As in "Get it in legal writing that you're not responsible when your client gets hacked to whatever evil-place his religion believes exists, because it's going to happen."

    That warning having been said.

    PHP Code:
    $split preg_split("~\[\\?PHP\]~",$string); //Split the string up; this will slice the PHP sections out.
    foreach($split AS $index => $value) {
      
    //If index is even, you're in Echo mode.
      
    if($index == 0) {
       echo 
    $value;
      } else {
       
    //We're inside a PHP block.
       
    if (substr($value,-4) == ".php") {
        include(
    $value);
       } else {
        eval(
    $value);
       } 
    //EndifInner
      
    //EndIfOuter
    //Endforeach 
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  3. #3
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Code looks kind of what I need as it looks like it would render the code snippets but what about the other normal text/html copy?

    Unsure how I would call it

    as currently i am doing all the replacing on the string first then simply

    PHP Code:
    <?php echo $Product_Details;?>

  4. #4
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    Michigan
    Posts
    79
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  5. #5
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by litebearer View Post
    I don't want to highlight code

    I want to run it

  6. #6
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eastwood View Post
    Code looks kind of what I need as it looks like it would render the code snippets but what about the other normal text/html copy?

    Unsure how I would call it

    as currently i am doing all the replacing on the string first then simply

    PHP Code:
    <?php echo $Product_Details;?>
    You wouldnt be doing any string replacing. The above code i pasted is your execution phase; it's not a call, it woudl replace your line.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  7. #7
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by StarLion View Post
    You wouldnt be doing any string replacing. The above code i pasted is your execution phase; it's not a call, it woudl replace your line.
    code you posted gives me the same result as my simple <?php echo $Product_Details;?>

  8. #8
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    Yeah.. PCRE didnt like that pattern, apparantly. So instead we'll use a different one.

    PHP Code:
    $split preg_split("~(\[PHP\])|(\[/PHP\])~",$string); //Split the string up; this will slice the PHP sections out.
    foreach($split AS $index => $value) {
      
    //If index is even, you're in Echo mode.
      
    if($index == 0) {
       echo 
    $value;
      } else {
       
    //We're inside a PHP block.
       
    if (substr($value,-4) == ".php") {
        include(
    $value);
       } else {
        eval(
    $value);
       } 
    //EndifInner
      
    //EndIfOuter
    //Endforeach 
    Note that you MUST NOT have php open/close tags wrapped around the string, or eval will fail. (You might want to substr check them out beforehand)
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  9. #9
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nearly working :-)

    I have 2 test strings

    HTML Code:
    "features
    
     [PHP]echo.php[/PHP]"
    worked

    HTML Code:
    "[PHP]echo.php[/PHP]
    
    [PHP]echo "here is some php code - lets see if it works";[/PHP]
    test"
    Didn't

  10. #10
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    HTML Code:
    "[PHP]echo.php[/PHP]
    
    [PHP]echo "here is some php code - lets see if it works";[/PHP]
    test"
    Didn't
    Well thats probably because you put double quotes inside your double quote string.

    Changing the PHP tag to a nonsense one so the forum engine doesnt interperate it:

    PHP Code:
    $string "[MOO]echo.php[/MOO]

    [MOO]echo "
    here is some php code lets see if it works";[/MOO]
    test" 
    Note the colorization of the echo.

    Your string, when put into a single-quote encapsulation rather than a double-quote one, works as expected.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  11. #11
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok so I changed my string to use single quote and here is the example string from the db

    [MOO]echo.php[/MOO]
    <div><br />
    </div>
    <div>[MOO]echo 'here is some php code - lets see if it works';[/MOO]<br />
    <p>&nbsp;</p>
    <p><strong>test</strong></p>
    <br />
    </div>

    and here's what gets rendered in the browser

    <?php include (echo.php); ?>
    <div><br />
    </div>
    <div><?php include (echo 'here is some php code - lets see if it works'; ?><br />
    <p>&nbsp;</p>
    <p><strong>test</strong></p>
    <br />
    </div>

    and all you see is <p><strong>test</strong></p>

  12. #12
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    wait... if you're pulling it from the database, where are you putting the quotes?

    Show me your code.... cause it sounds like you've changed an == to an =.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  13. #13
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    here are some examples of what I am trying to do:

    include_once("basketscript.php"); MiniBasket();
    include_once("../testimonial.php"); Testimonials( 5, "Support" );
    include_once("buttons.php"); include_once("bundles/bundles_script.php"); AddBundleAdvert("bundle_complete,bundle_space,bundle_stereo");
    include_once("basketscript.php"); ShopDisplayPrice( "CompleteM" );

    So, for example, we'd want to be able to have something like the following in the CMS text:

    [PHPCODE] include_once("basketscript.php"); ShopDisplayPrice( "CompleteM" ); [/PHPCODE]

    or would they need to be like this:

    [PHPCODE] include_once("basketscript.php"); [/PHPCODE][PHPCODE]ShopDisplayPrice( "CompleteM" ); [/PHPCODE]

  14. #14
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    Either would work.
    [PHPCODE]basketscript.php[/PHPCODE][PHPCODE]ShopDisplayPrice( "CompleteM" );[/PHPCODE]
    or
    [PHPCODE]include_once(basketscript.php);[/PHPCODE][PHPCODE]ShopDisplayPrice( "CompleteM" );[/PHPCODE]
    or
    [PHPCODE]include_once(basketscript.php); ShopDisplayPrice( "CompleteM" );[/PHPCODE]

    should all work correctly.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •