Echo php code from a string

PHP
1

I have a cms system where a client has requested that they be able to enter php snippets within the html content.

This would be in the following format:


```php
echo.php



or


```html

```php
echo "<h4>here is some php code</h4><p>lets see if it works</p>";



if the tag ended in .php I know to include it as a file otherwise I was planning on just evaluating the content.

$Product_Details is being set from content in my DB.

Example string from the DB:


```html

```php
echo.php

echo "<h4>here is some php code</h4><p>lets see if it works</p>";


 

test



I have various functions as follows to help me find all the tags within a string and return them as an array for me to then replace them with the php code:



```html
        $string=$Product_Details;
        $delimiter="
```php
";
        $delimiterto="

“;
$arrpos=array();
$arrpos=getSelectiveContent($string,$delimiter,$delimiterto,$exclude=”“);
$arrsize=sizeof($arrpos);
for($i=0; $i<$arrsize; $i++)
{
if(stripos($arrpos[$i],”.php")>=0){
$Product_Details = str_ireplace("

".$arrpos[$i]."

“,‘<?php include ('.$arrpos[$i].'); ?>’,$Product_Details);
}
else
{$Product_Details = str_ireplace(”

".$arrpos[$i]."

",‘<?php echo eval('.$arrpos[$i].'); ?>’,$Product_Details);}
}

function getSelectiveContent($content,$from,$to,$exclude=“”)
{
$return = array(); // array for return elements
$size_FROM = strlen($from);
$size_TO = strlen($to);
while(true)
{
$pos = stripos($content,$from); // find first occurance of $from
if( $pos === false )
{
break; // if not exist break loop
}
else
{
$element = extractor($content,$from,$to); // fetch first element
if($exclude == “”)
{
if( trim($element) != “” )
{
$return = trim($element);
}
}
else
{
if(trim($element) != “” && !strstr($element,$exclude)) // if nothing in range, and exclude is not in it
{
$return = trim($element); // put fetched content in array.
}
}
$content = substr($content,$pos+strlen($element)+$size_FROM+$size_TO); // remove $from to $to from content
}
}
unset($content,$from,$to,$element,$exclude,$pos,$size_FROM,$size_TO);
return $return;
}

function extractor($str,$afrom,$ato)
{
$from_pos = stripos($str,$afrom);
$from_pos = $from_pos + strlen($afrom);
$to_pos = stripos($str,$ato,$from_pos);// to must be after from
$return = substr($str,$from_pos,$to_pos-$from_pos);
unset($str,$afrom,$ato,$from_pos,$to_pos );
return $return;

}



Then I was simply outputting as follows:


```php
<?php echo $Product_Details;?>

The outputted html is as follows:

<?php include (echo.php); ?><?php include (echo "<h4>here is some php code</h4><p>lets see if it works</p>";); ?><br /><p>&nbsp;</p><p><strong>test</strong></p>

But it doesn’t render any of the php, what am i doing wrong as what I am asking does it make sense?

Thanks

2

Echo does not Evaluate the code.
This is a MAJOR security hole. I highly, HIGHLY recommend you discourage your client from doing this. Ever. Evereverevereverevereverevereverever. As in “Get it in legal writing that you’re not responsible when your client gets hacked to whatever evil-place his religion believes exists, because it’s going to happen.”

That warning having been said.


$split = preg_split("~\\[\\\\?PHP\\]~",$string); //Split the string up; this will slice the PHP sections out.
foreach($split AS $index => $value) {
  //If index is even, you're in Echo mode.
  if($index % 2 == 0) {
   echo $value;
  } else {
   //We're inside a PHP block.
   if (substr($value,-4) == ".php") {
    include($value);
   } else {
    eval($value);
   } //EndifInner
  } //EndIfOuter
} //Endforeach
3

Code looks kind of what I need as it looks like it would render the code snippets but what about the other normal text/html copy?

Unsure how I would call it

as currently i am doing all the replacing on the string first then simply

<?php echo $Product_Details;?>
4

Might take a look at…
http://php.net/manual/en/function.highlight-file.php

5

I don’t want to highlight code

I want to run it

6

You wouldnt be doing any string replacing. The above code i pasted is your execution phase; it’s not a call, it woudl replace your line.

7

code you posted gives me the same result as my simple <?php echo $Product_Details;?>

8

Yeah… PCRE didnt like that pattern, apparantly. So instead we’ll use a different one.


$split = preg_split("~(\\[PHP\\])|(\\[/PHP\\])~",$string); //Split the string up; this will slice the PHP sections out.
foreach($split AS $index => $value) {
  //If index is even, you're in Echo mode.
  if($index % 2 == 0) {
   echo $value;
  } else {
   //We're inside a PHP block.
   if (substr($value,-4) == ".php") {
    include($value);
   } else {
    eval($value);
   } //EndifInner
  } //EndIfOuter
} //Endforeach

Note that you MUST NOT have php open/close tags wrapped around the string, or eval will fail. (You might want to substr check them out beforehand)

9

Nearly working :slight_smile:

I have 2 test strings

"features

 
```php
echo.php

"



[B]worked[/B]


```html
"
```php
echo.php

echo "here is some php code - lets see if it works";

test"



[B]Didn't[/B]
10 
"
```php
echo.php

echo "here is some php code - lets see if it works";

test"



[B]Didn't[/B]


Well thats probably because you put double quotes inside your double quote string.

Changing the PHP tag to a nonsense one so the forum engine doesnt interperate it:


```php

$string = "[MOO]echo.php[/MOO]

[MOO]echo "here is some php code - lets see if it works";[/MOO]
test"

Note the colorization of the echo.

Your string, when put into a single-quote encapsulation rather than a double-quote one, works as expected.

11

ok so I changed my string to use single quote and here is the example string from the db

[MOO]echo.php[/MOO]
<div><br />
</div>
<div>[MOO]echo ‘here is some php code - lets see if it works’;[/MOO]<br />
<p> </p>
<p><strong>test</strong></p>
<br />
</div>

and here’s what gets rendered in the browser

<?php include (echo.php); ?>
<div><br />
</div>
<div><?php include (echo ‘here is some php code - lets see if it works’;); ?><br />
<p> </p>
<p><strong>test</strong></p>
<br />
</div>

and all you see is <p><strong>test</strong></p>

12

wait… if you’re pulling it from the database, where are you putting the quotes?

Show me your code… cause it sounds like you’ve changed an == to an =.

13

here are some examples of what I am trying to do:

include_once(“basketscript.php”); MiniBasket();
include_once(“…/testimonial.php”); Testimonials( 5, “Support” );
include_once(“buttons.php”); include_once(“bundles/bundles_script.php”); AddBundleAdvert(“bundle_complete,bundle_space,bundle_stereo”);
include_once(“basketscript.php”); ShopDisplayPrice( “CompleteM” );

So, for example, we’d want to be able to have something like the following in the CMS text:

[PHPCODE] include_once(“basketscript.php”); ShopDisplayPrice( “CompleteM” ); [/PHPCODE]

or would they need to be like this:

[PHPCODE] include_once(“basketscript.php”); [/PHPCODE][PHPCODE]ShopDisplayPrice( “CompleteM” ); [/PHPCODE]

14

Either would work.
[PHPCODE]basketscript.php[/PHPCODE][PHPCODE]ShopDisplayPrice( “CompleteM” );[/PHPCODE]
or
[PHPCODE]include_once(basketscript.php);[/PHPCODE][PHPCODE]ShopDisplayPrice( “CompleteM” );[/PHPCODE]
or
[PHPCODE]include_once(basketscript.php); ShopDisplayPrice( “CompleteM” );[/PHPCODE]

should all work correctly.

15