Javascript php lib.

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Javascript php lib.

Post by JellyFish »

Is there already or what's your oppinion on making a Javascript library call php, which empliments the php language in a global scoped object: PHP.properties/methods?

Thanks for the read. :D
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Right now I have something that may be a start on this concept.

Javascript lib:

Code: Select all

php = {
	eval: function (str) {
		$.post("API.php", { eval:str } , function(data) {
			alert("Data Loaded: " + data);
		});
	}
};
I'm using jQuery right now just for quick coding.

Code: Select all

<?php
if ($_POST['eval'])
{
	$eval = stripslashes($_POST['eval']);
	eval("$eval");
}
else
{
	exit("no eval");
}
?>
Basically it works but stripslashes is totally not appropriate. I used it be cause when ever I place quotes within the argument of php.eval ( php.eval("exit('hello');") ) it automatically addslashes to the qoutes and I'm not aware of any other way to prevent this.

But other then that, I came up with a basic expression of my idea for a JS library. And what do you think?
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

not sure why you'd want php functions in javascript... javascript has its own functions that are far better suited for it.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

It's basically a library to execute functions on the server on the fly. It's like, say you want to use some of the php image resizing functions on the server without refreshing the page or designing your own framework.

Get me?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Not to mention that using eval() would allow anyone to run arbitrary code... not a good idea.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

not to mention that you would be allowing anyone and everyone to run any php code they wanted on your server...

I'll leave the rest up to you :)

<edit>
... Not quick enough :(
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Not to mention that using eval() would allow anyone to run arbitrary code... not a good idea.
Only on the server that the API.php file is hosted on. Why would that server be mine exactly? Why would I need to worry if that server is not mine?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Because you're compromising the security of a server, any server, knowingly. That is completely irresponsible.
wei
Forum Contributor
Posts: 140
Joined: Wed Jul 12, 2006 12:18 am

Post by wei »

might as well implemented like this

http://thedailywtf.com/Articles/Client-side_PHP.aspx

punishable by death
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The code example posted on that page won't work. :lol:

+= for strings doesn't work so well. :)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

feyd wrote:Because you're compromising the security of a server, any server, knowingly. That is completely irresponsible.
How would people have access to write on the server in the first place? I don't understand? You'd need to use the "php.eval()" method to execute something, on the server on the fly (which is what intended). Even then you need to be able to write that on that somewhere on the site. I don't see what the difference is between using Ajax to call a page on the server?

And you still could implement the php object not to be used in certain circumstances.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

JellyFish wrote:
Not to mention that using eval() would allow anyone to run arbitrary code... not a good idea.
Only on the server that the API.php file is hosted on. Why would that server be mine exactly? Why would I need to worry if that server is not mine?
I can't believe I just read this... If you owned a hosting company, would you care if one of your clients used a script like this on your server?

If you still don't care, then you need serious help...
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

It is unbelievably trivial to inject your own javascript into any site you want... Javascript is run in userland, a land where monsters and wizards are always lurking, waiting for a script such as this to have fun with...

<edit>
It is probably easier to directly inject php code into the POST request.
</edit>
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I see now. Didn't realize at the time of creating this post that one could use a tool like firebug to write client script on any web page.

So I thought that maybe through a php function you could active this javascript lib and let there be a function that deactivates it! Then only those with server access could write in this library. Is this a solution?
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

the best solution would be to send off an ajax request with the data you want to send to the php script, which will preform the function that you tell it (thru GET or POST depending on the use).

Send a request such as: ajax.php?command=getbook&id=4

Which would activate the getbook function in ajax.php..
Post Reply