1

Here's my code:

<?php
if(isset($_GET['p']))
{
    $nshortname = strip_tags($_GET['p']);
    $check = mysql_query("SELECT * FROM pages WHERE `shortname` = '$nshortname'");

    if(mysql_num_rows($check) == 0) 
    {
        echo '<center><font size="50" style="font-weight:bold;">404</font><br>Appears this page is a dead end</center>';
    }
    else
    {
        $h = mysql_fetch_array($check);
        //post details
        $title = $h["title"];
        $content = $h["content"];
        $shortname = $h["shortname"];
        // Start of page content
        echo '

        <p>
        <font size="5pt">'.$title.'</font><br><hr>
        '.$content.'<br>
        ';
        // End of page content
    }
} 
else
{
    echo 'No page has been selected to view';
}
?>

What it does exactly, is it grabs pages from my database and reads them, so for example if I have a page in that table called "test" I can go to it by http://mylink.com/?p=test. Although i've come up with an issue. On one of those pages that come from the database I want to include but when I type it into the database field and go back to the page it shows with nothing.

I went to the source of the page in my browser and found out the code turned into <!--?php include "inc/extra/plugins/header/slideshow.php"?-->

Does anyone know how I can sold it from turning into <!--? and make my include code work.

Improve this question
17
  • you can use eval to Evaluate php code php.net/manual/en/function.eval.php Commented Nov 3, 2013 at 8:41
  • @Breezer: Why do you think the OP needs eval() here? Commented Nov 3, 2013 at 8:43
  • @AmalMurali as i understood it he retrieves "text" from the db that he then outputs, and one of thoose pages contain an include that doesn't get evaluated. I might have missunderstood the question though that's why i commented instead of answering Commented Nov 3, 2013 at 8:45
  • @Breezer should my content field in my database contain: "eval("<?php include "inc/extra/plugins/header/slideshow.php"?>");" or where should I use eval in my codes? Commented Nov 3, 2013 at 8:47
  • you use evak on the $content variable, to get any php code inside the content to get run Commented Nov 3, 2013 at 8:48

2 Answers 2

Reset to default
3

I would caution against using eval() of unknown content. Basically, the content comes from your database, but that doesn't guarantee it's safe to execute as code! There are a lot of ways it could cause errors or do something malicious.

But you also have other dangerous security gaffes in your code. You should learn about how to defend against SQL injection vulnerabilities and Cross-Site Scripting (XSS) vulnerabilities and File Inclusion vulnerabilities.

  • Use mysql_real_escape_string() if you are still using the deprecated ext/mysql. But if you can, switch to mysqli or PDO_mysql and use prepared statements with parameters.

  • Always output dynamic content with htmlspecialchars(). What if the content contains Javascript code? It could cause mischief.

  • Never eval() arbitrary content as code. You have no control over what that content is, or what it could do when you execute it.

  • Be as restrictive as possible - if you want to include a file, store the filename separately from content (e.g. in a separate column), and use it only for including files.

Here's an example with some of these problems fixed in your code:

<?php

if(isset($_GET['p']))
{
    $nshortname = mysql_real_escape_string($_GET['p']);
    $check = mysql_query("SELECT * FROM pages WHERE `shortname` = '$nshortname'");

    if(mysql_num_rows($check) == 0) 
    {
        echo '<center><font size="50" style="font-weight:bold;">404</font><br>Appears this page is a dead end</center>';
    }
    else
    {
        $h = mysql_fetch_array($check);
        //post details
        $title = htmlspecialchars($h["title"]);
        $content = htmlspecialchars($h["content"]);
        $shortname = $h["shortname"];
        // Start of page content
        echo '

        <p>
        <font size="5pt">'.$title.'</font><br><hr>
        '.$content.'<br>
        ';
        // End of page content

        // Start of include
        if ($h["include"]) {
          // strip out anything like "../../.." etc. 
          // to make sure this is only a simple filename.
          $include = basename($h["include"]);
          include "inc/extra/plugins/header/{$include}.php";
        }
        // End of plugin inclusion
    }
} 
else
{
    echo 'No page has been selected to view';
}
?>

Also check out http://www.sitepoint.com/php-security-blunders/ and http://phpsec.org/projects/phpsecinfo/

Re your comments:

To allow a limited set of basic HTML, the best tool you need to use is http://htmlpurifier.org

I'm not sure what to say about your include displaying code instead of working. I just tested this, and the following two files seem to work exactly as intended:

foo.php:

<?php

echo "<h1>START FOO</h2>";
if ($_GET["include"]) {
    $include = basename($_GET["include"]);
    include "./{$include}.php";
}
echo "<h1>END FOO</h2>";

bar.php:

<?php
echo "<h2>BAR</h2>";
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi thanks for the security, anyhow.. with your code, it disallows all html. My pages that are read from the database require simple html such as <img, <b>, and <a. Anyway this can be enabled? Also, the php include code now fully appears. I need it to include the page, not to show the <?php include("inc/extra/posts.php"); ?>
Wait dont worry about the basic html, but I still need to find out how to use <?php include("inc/extra/posts.php"); ?> correctly
0

If you have a variable $content which is html with php, you can use
eval("?>" . $content . "<?php");
This will output $content having processed all the <?php ?> tags.

Improve this answer

10 Comments

Hi, where would I add this? I've been trying to add it, although it just comes with a blank page.
Hi, I managed to solve this. Thanks! Was doing the wrong PHP code. By using 'Eval' will it be safe? I've heard it can be quite dangerous to use..
@user2594383, No -- eval() of arbitrary content is not safe. What if I store content of <?php exec("rm -rf .") >?? Nor is interpolating $_GET variables into your SQL expression without escaping, nor is echoing content from your database without calling htmlspecialchars().
@BillKarwin well, do you have any ideas in which could fix my problem, without using eval??
@user2594383 Eval is ok. If you write code with your own hands, put it into the database and then eval, nothing will happen. Like others said, do not eval anything provided by users. But you are not going to, are you?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.