Page 1 of 1

Javascript php lib.

Posted: Sat Feb 03, 2007 1:34 am
by JellyFish
Is there already or what's your oppinion on making a Javascript library call php, which empliments the php language in a global scoped object: PHP.properties/methods?

Thanks for the read. :D

Posted: Tue Feb 06, 2007 5:56 pm
by JellyFish
Right now I have something that may be a start on this concept.

Javascript lib:

Code: Select all

php = {
	eval: function (str) {
		$.post("API.php", { eval:str } , function(data) {
			alert("Data Loaded: " + data);
		});
	}
};
I'm using jQuery right now just for quick coding.

Code: Select all

<?php
if ($_POST['eval'])
{
	$eval = stripslashes($_POST['eval']);
	eval("$eval");
}
else
{
	exit("no eval");
}
?>
Basically it works but stripslashes is totally not appropriate. I used it be cause when ever I place quotes within the argument of php.eval ( php.eval("exit('hello');") ) it automatically addslashes to the qoutes and I'm not aware of any other way to prevent this.

But other then that, I came up with a basic expression of my idea for a JS library. And what do you think?

Posted: Tue Feb 06, 2007 6:23 pm
by Luke
not sure why you'd want php functions in javascript... javascript has its own functions that are far better suited for it.

Posted: Tue Feb 06, 2007 6:27 pm
by JellyFish
It's basically a library to execute functions on the server on the fly. It's like, say you want to use some of the php image resizing functions on the server without refreshing the page or designing your own framework.

Get me?

Posted: Tue Feb 06, 2007 6:27 pm
by feyd
Not to mention that using eval() would allow anyone to run arbitrary code... not a good idea.

Posted: Tue Feb 06, 2007 6:29 pm
by nickvd
not to mention that you would be allowing anyone and everyone to run any php code they wanted on your server...

I'll leave the rest up to you :)

<edit>
... Not quick enough :(

Posted: Tue Feb 06, 2007 6:37 pm
by JellyFish
Not to mention that using eval() would allow anyone to run arbitrary code... not a good idea.
Only on the server that the API.php file is hosted on. Why would that server be mine exactly? Why would I need to worry if that server is not mine?

Posted: Tue Feb 06, 2007 9:28 pm
by feyd
Because you're compromising the security of a server, any server, knowingly. That is completely irresponsible.

Posted: Tue Feb 06, 2007 9:46 pm
by wei
might as well implemented like this

http://thedailywtf.com/Articles/Client-side_PHP.aspx

punishable by death

Posted: Tue Feb 06, 2007 9:51 pm
by feyd
The code example posted on that page won't work. :lol:

+= for strings doesn't work so well. :)

Posted: Tue Feb 06, 2007 11:48 pm
by JellyFish
feyd wrote:Because you're compromising the security of a server, any server, knowingly. That is completely irresponsible.
How would people have access to write on the server in the first place? I don't understand? You'd need to use the "php.eval()" method to execute something, on the server on the fly (which is what intended). Even then you need to be able to write that on that somewhere on the site. I don't see what the difference is between using Ajax to call a page on the server?

And you still could implement the php object not to be used in certain circumstances.

Posted: Tue Feb 06, 2007 11:49 pm
by nickvd
JellyFish wrote:
Not to mention that using eval() would allow anyone to run arbitrary code... not a good idea.
Only on the server that the API.php file is hosted on. Why would that server be mine exactly? Why would I need to worry if that server is not mine?
I can't believe I just read this... If you owned a hosting company, would you care if one of your clients used a script like this on your server?

If you still don't care, then you need serious help...

Posted: Tue Feb 06, 2007 11:52 pm
by nickvd
It is unbelievably trivial to inject your own javascript into any site you want... Javascript is run in userland, a land where monsters and wizards are always lurking, waiting for a script such as this to have fun with...

<edit>
It is probably easier to directly inject php code into the POST request.
</edit>

Posted: Wed Feb 07, 2007 10:06 pm
by JellyFish
I see now. Didn't realize at the time of creating this post that one could use a tool like firebug to write client script on any web page.

So I thought that maybe through a php function you could active this javascript lib and let there be a function that deactivates it! Then only those with server access could write in this library. Is this a solution?

Posted: Wed Feb 07, 2007 11:09 pm
by nickvd
the best solution would be to send off an ajax request with the data you want to send to the php script, which will preform the function that you tell it (thru GET or POST depending on the use).

Send a request such as: ajax.php?command=getbook&id=4

Which would activate the getbook function in ajax.php..