[NabZ]

Hey i was wondering if anyone knows how to execute php code from post data.
eg:

i enter the following in a form:

PHP Code:

echo "test"; 

then i submit it and then it posts the data onto a php page which attempts to execute the code, the current code i got is:

PHP Code:

ob_start();

eval("?>".$_POST['code']."<?php ");

$return=ob_get_contents();

ob_end_clean(); 

echo $return;

any ideas why it wont work?

[mab]

Take out the closing/opening php tags inside of the eval(...). Any comments or code you might have seen elsewhere in this forum about having an initial closing tag had to do with executing the contents of a file that had its own opening php tag and/or the file started out with HTML...

The following code works, but don't put this on any public web site (the last person who did something like this got his web page deleted using his own code) -

PHP Code:

ob_start(); 

eval($_POST['code']); 

$return=ob_get_contents(); 

ob_end_clean();  

echo $return; 

[NabZ]

hmm the above code does not seem to work for me :S

[mab]

Post your form code that sends to this.

Also, this code is subject the same problems that would stop normal code from executing. Add the following after your opening <?php tag in the file this is in -

PHP Code:

error_reporting(E_ALL); 

[NabZ]

these are the errors im getting:


Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/nabz/public_html/NX1_245.php(54) : eval()'d code on line 1

Parse error: syntax error, unexpected $end in /home/nabz/public_html/NX1_245.php(54) : eval()'d code on line 1

Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/nabz/public_html/NX1_245.php(54) : eval()'d code on line 1

Parse error: syntax error, unexpected $end in /home/nabz/public_html/NX1_245.php(54) : eval()'d code on line 1

[mab]

It looks like the magic quote setting is adding slashes to the form data. Use stripslashes(...) around the $_POST[...] data. Also, if you post the code that goes along with the error message it would help.

[NabZ]

after using stripslashes() it worked. thanks for that!

[End User]

PHP Code:

ob_start();

[B]eval("?>".$_POST['code']."<?php ");[/B]

$return=ob_get_contents();

ob_end_clean(); 

echo $return;

This is fantastically dangerous, probably one of the most hazardous uses of eval() that I've ever seen. It makes me cringe just looking at it. It would be a hugely bad idea to ever put this code on the web. And I mean hugely as in Titanic proportions.

[Sheepymot]

Indeed, such code is impossible to police.. I mean you could literally leave your server wide open.

I can't think of a logical reason why you'd want to execute this PHP anyway.. IN what situation would you want to give control of your server to strangers?

Do not use this code in a live envioronment.. Please.