By Harry Fuecks

Client Side PHP in Internet Explorer

By Harry Fuecks

While messing with PHP 5.0.0 figured it’s finally time to take at Wez Furlongs Activescript SAPI for PHP. Will the madness never end? ;)

In brief Microsoft provide a mechanism in Windows to “embed” scripting engines (e.g. PHP) and thereby allow execution of code in other languages. More information can be found at MSDN on Windows Script Interfaces.

For PHP the best place for information is the extensive README.

Here’s a quick example which should probably work first time on Win 2000 / Win XP.

1. Download PHP 5 and unzip it somewhere (e.g. C:php-5.0.0 – you need to create this directory!)

2. From a command prompt;

C:> cd php-5.0.0
C:php-5.0.0> regsvr32 php5activescript.dll

That’s it. Now the fun begins.

Create a (plain HTML) web page like;


Output generated by '. phpversion(). ' ['.php_sapi_name().']



Available objects


foreach ( array_keys($GLOBALS) as $global_var ) { if ( is_object($GLOBALS[$global_var]) ) { $document->write($global_var."
"); } }

View the page in IE and away you go (you should see a list of objects you’d normally use from Javascript).

Now all we need is Microsoft to bundle it with IE ;)

Back to reality, where is actually might be useful is if you want to write Windows sysadmin scripts in PHP.

Update: when posting this thought it would be obvious that this is highly insecure. Make sure you read all the comments below before trying it.

  • im not sure im understanding this correctly, but wouldn’t this be a pretty big security risk?

  • Nice one, I looked into this a while back…
    Creating Protocol for PHP

  • Hmmm, keeps crashing internet explorer for me..

  • I don’t really like this :(

    1) Microsoft being the main issue for me
    2) PHP is a server side language and I like it that way. Another language would be better placed, ie Java for example ?

    Nope, sorry Harry, but this idea sucks big time :)

  • DemonX

    Java isn’t a scripting language. PHP is alot better then Java for this.

  • Jake

    I see both sides to this, but I have to ask. How could this be a security risk?

  • john

    insert php scripts for deleting files, but i think this would be good for intranets if it was in linux rather than windows of course.

  • john

    Oh i forgot there is a project for php client side in mozilla.

  • sevengraff

    seems like a great tool if you want to write a simple program, and PHP is all you know.

  • Toby

    Nice one! :) Maybe it’s possible to wrap PHP into a plugin for IE…

  • I believe Harry mentioned that a useful measure would be sysadmin scripts and I agree. Deploying it on a site would be too painful as everyone would need to install the sapi on their computers. So in that respect, the idea doesn’t have much merit (or at least until the day PHP rules the Internet)

    On the security side of things, if you view source on the page, do you see the php code or the output of the php code?

  • Wez Furlong

    It’s a *huge* risk to run it in IE, since there is no sandbox. safemode is not good enough, and PHP allows your scripts to get away with doing just about anything.

    I developed this SAPI while evaluating ways to embed PHP into windows applications, not to use in place of javascript (although it is in interesting side effect).

    The main practical uses that spring to mind are either admin scripts (running under windows scripting host) or running under the MS scriptlet control and being embedded into a windows application that way.

  • Filip de Waard

    It would be nice if somebody wrote a plugin for Mozilla (Firefox) that includes this functionality and more JavaScript like stuff like CSS alteration (for hover effects etc). That way we won’t have to touch JavaScript anymore for our backend tools.

  • Cam

    You’d see the PHP code. It’s basically just Javascript with PHP syntax. It wouldn’t work for your average site though because the client needs to set it up.

  • Think it’s worth saying, before anyone takes this too seriously, that that PHP in IE is another “2.5” on Wez’s Evil Plans For World Domination and here’s one reason why…

    Hmmm, keeps crashing internet explorer for me..

    And it most definately would be a security risk if available in IE.

    Where this might have a use though, as mentioned, is for sysadmin scripts, through use of the Windows Scripting Host objects, for example if you create a file like;

    Save it as example.wsf then run “cscript example.wsf” and you get the idea.

    Seems you’ve pretty much got access to anything that provides a COM API in Windows, via the $WScript object. There’s a nice introduction (using VB – replace with PHP) here:

  • How could this be a security risk?

    You’ve got full access to all of PHP’s functions e.g.

  • Luke

    Just a thought, but if you do ‘regsvr32 php5activescript.dll’ on your machine for admin purposes wouldn’t that then expose you to malicous client-side PHP attacks through IE whilst using the web.

    I know its highly unlikely but my point is that it would be possible right?

  • I know its highly unlikely but my point is that it would be possible right?

    True so I guess everyone should be careful. Personally not worried as have IE primed to alert when a page needs ActiveX and I’m not using IE anyway.

    But the reverse operation to remove the PHP ActiveScript host is;

    regsvr32 /u php5activescript.dll

  • The whole idea is completely bonkers :lol: Microsoft has had software in all forms released for years, and there are still security holes in it.

    Adding a dynamic powerful scripting language like PHP to their [Microsoft] software is just asking for trouble in my view.

    And just how useful is it going to be ? As mentioned it ain’t gonna work for the average web user, and I can see very few business models requiring this, whereas Java would not be an option anyways, as I said before.

  • rickwright

    RE: How could this be a security risk?

    while (($file = readdir($dh)) !== false) {

    // Good manners

    I think in this case good manners are especially important!

  • johnm

    One (semi) positive way that this could be used in in the development of interactive desktop environments using Active Desktop. Now before a flame-fest, I’m mereley pointing out that there are still a lot of people that do in fact use AD, and most that develop for AD have to use various JavaScript incarnations that more often than not don’t work properly, and I think that utilizing PHP would allow more robust options to those users.

  • Lets Just Say.

    PHP Is Now Officialy A Hackers Paradise!

    Php held so much power being server side. Now bringing it to client side. I can See a whole new generation of virii/spyware.

    Even a virus or piece of spyware could install php5activescript.dll and run wild!

  • Benny T

    Im not too much of a nut but wasnt one of the reasons to having server side php the security side of things, being client side it would be quite easy for some idiot to exploit the shit outta it


  • alec

    Client-side PHP would be essentially useless for inexperienced computer users. Yes, one could write potentially useful client-side applications, but the client would have to configure his or her own security options and choose whether to allow or disallow certain actions. Average web users, my parents for instance, can barely manage their email inbox effectively. I highly doubt they could appropriately make use of such technology as a powerful yet customizable scripting environment.

  • Cam

    Since PHP4 shipped with a php4activescript.dll I’d imagine this functionality has been available for a while would I be right?

    In regards to your average virus setting this up, chances would be slim. Only a small percentage of the population at large would have PHP installed on their computers and the paths to where phpXactivescript.dll could be found would vary greatly. Virii are designed to be small to get in and do their business undetected so the writer of one that included the DLL or even tried to remotely get it would either be very talented or very stupid.

    Spyware is another story but with the updates in SP2 on the horizon spyware will get a wakup call. IE wouldn’t even install the software for Windows Update without my express approval and even then no notice showed up, I had to click the button in the bar at the top to approve the download and refresh the page.

  • Ben Vail

    I beleive someone mentioned Java, they _meant_ JavaScript.. A common, and incredibly annoying, comfusion that really bugs me.. ;)^_^

    ..Other ActiveX thingies can already delete files, install adware, and generally screw things up, I fail to see how another method to do this is a big problem.. heheh :D

  • Post-O-Matic

    Client-side PHP scripting could have been very interesting for intranet ERP applications written with PHP, like the project I am working on right now.

    The main problem being, of course, the issue of updating all clients. But if some reasonable solution for client side PHP scripting existed, being that WSH or PHP-GTK, I would immidietly move on towards exploiting it. The possibilities are enourmous.

  • otto

    just a theory but. Using this method someone could embed it into an email and run arbitrary code on someones computer if they’ve enabled PHP. Possibly creating a virus.

  • Marcelo

    Wouldn’t it be great if we had a php interpreter that works like a Java Virtual Machine, preventing direct acces to disk and all that stuff?

  • Stefann

    Anyone hear of PHP-GTK bindings, it welcomes a whole new world into web application development.

  • prabudas

    I am creating html page dynamically using JavaScript in WinCE. Can I use PHP instead of JavaScript.

  • Pingback: Valery’s Mlog » PHP в Internet Explorer ?()

  • physicsnaw

    the time will come where there is compiler which you can compile your php code into rpm or exe

  • SCTld01y7g

    t6hxcxJlzP2 jnN4CfOnIwsb n8Zb7TD7KX

  • Dave

    2 points to question in response to the comments in this article.

    1. Security issues…what about comparing this to ActiveState’s ActivePerl or ActivePython distros that add those languages for use in IE and WSH? Are those more secure compared to this? ActiveState has provided those for a long time. I suppose someone could do viruses for Perl/Python and trigger it via IE, etc. for those that have it installed on Windows.

    2. Has anyone considered using this PHP feature on the server side? After register PHP, the Microsoft IIS web server’s ASP engine now has access to PHP as the scripting language to use much like VBScript/JScript, etc. or Perlscript (via ActiveState). I’ve wanted to use PHP in ASP for a while, since PHP is cooler than Perl. This seems to be a neat idea to me.

  • Anonymous

    I don’t necessarily think client-side PHP is the way to go, but it would be nice if we had a unified platform for client-server development.. One Language to Rule Them All. :)


    Now I have a problem with PHP when I try to open a file on my hard drive. It says “Do you want to open or save ‘file.php'” or something like that. And when I say “Open,” it goes back to the dialog. When I go to a PHP file online, it just shows the page. Should I use as recommended or what?

  • Lieramedarees

    Соберем для Вас по сети интернет
    базу данных потенциальных клиентов для Вашего Бизнеса!!!
    Много!!! Быстро!!! Недорого!!!
    Название телефон факс e-mail www адрес имена итд
    Узнайте подробности по телефону: +79133913837
    ICQ: 6288862
    Skype: prodawez

Get the latest in Front-end, once a week, for free.