PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
svamja
Forum Newbie
Posts: 3 Joined: Mon Jun 11, 2007 11:13 am
Post
by svamja » Mon Jun 11, 2007 11:16 am
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Mon Jun 11, 2007 11:21 am
It puked on this:
Code: Select all
<?php
foreach (get_defined_functions() as $v) {
echo '<p>' . $v . '</p>';
}
?>
What is that app supposed to do?
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Mon Jun 11, 2007 11:24 am
Code: Select all
$x = range('a', 'z');
print_r($x);
Worked ok.
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Mon Jun 11, 2007 11:26 am
There is no error checking for syntax. It just spits out all kinds of information about the error using the standard display error.
Try:
Code: Select all
<?php
$v = 'suck it trebek';
echo $; // Or leave in some other error
?>
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Mon Jun 11, 2007 11:29 am
Here I was thinking we already had methods of testing PHP. Silly me.
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Mon Jun 11, 2007 11:30 am
Just wait until someone malicious wants to test their code...
Luke
The Ninja Space Mod
Posts: 6424 Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA
Post
by Luke » Mon Jun 11, 2007 11:34 am
Isn't this a massive security risk? What have you done to protect yourself from people overwriting files in your server or deleting this application? You have opened yourself up to people executing whatever code they want on your server.
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Mon Jun 11, 2007 11:35 am
I'm malicious! Sadly, I can't extract their MySQL database username and password. :-p
DROP DATABASE;
Jk.
Luke
The Ninja Space Mod
Posts: 6424 Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA
Post
by Luke » Mon Jun 11, 2007 11:37 am
I just looped through your directories and displayed every file I could find. It took like 15 seconds. I'd take this down man.
volka
DevNet Evangelist
Posts: 8391 Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger
Post
by volka » Mon Jun 11, 2007 11:37 am
Aiiiiii don't think you want everybody execute arbitrary php code on your server.
guitarlvr
Forum Contributor
Posts: 245 Joined: Wed Mar 21, 2007 10:35 pm
Post
by guitarlvr » Mon Jun 11, 2007 11:38 am
phpinfo() and $_SERVER array comes right up. Another suggestion to take this down.
Wayne
Luke
The Ninja Space Mod
Posts: 6424 Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA
Post
by Luke » Mon Jun 11, 2007 11:48 am
here's what your file looks like
Code: Select all
if (PHP_VERSION < '5.0')
{
$code_text = stripslashes($code_text);
}
echo "evaluating:";
echo "<br> $code_text";
?>
<hr>
<pre id="result_pre">
<?php eval ("$code_text");
?>
</pre>
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Mon Jun 11, 2007 11:50 am
+1 vote for a darwin award.
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Mon Jun 11, 2007 12:36 pm
Haha! Run this!
Code: Select all
$file = 'phptester.html';
$fh = fopen($file, 'r');
echo fread($fh, filesize($file));
fclose($fh);
Now if he'd do it for EVERY other file on his server. (I'd wreak havoc myself, but I'd feel bad. :-p)
volka
DevNet Evangelist
Posts: 8391 Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger
Post
by volka » Mon Jun 11, 2007 12:43 pm
superdezign wrote: Haha! Run this!
Wow, you get the exact same output The Ninja Space Goat posted. Amazing.