PHP - Customize .zip File Before Download?

Question

So I am making a script where I want to learn how to limit use on one domain, but I need to modify the script before the download. My question is, I want to take a $_GET variable filled out by the user of their website. Customize a script with file_put_contents or something, and then download the modified script.. How would I go about this? Does it require Javascript and PHP, or just Javascript? I'm not sure how to go about it. An example of modifying a download can be found here

Answer 1

So, if I understood correctly, a user fill some form with a var (lets call it $var) and clicks the form's submit button to download a file (lets call it 'myscript.php').

You want to edit 'myscript.php' and put the $var inside that script before the user downloads it. Is this assumption correct?

For that you need to prepare your script beforehand by placing a placeholder somewhere and then, before the user downloads the file, you change the placeholder for the intended block of code. Alternatively you can replace the first <?php tag for your code, if that's relevant.

Mini Example:

myscript1.php

<?php
$varb = 'a string with DEFAULT VAR inside just to test';
//Block of code goes here
//{%%DEFAULT VAR%%}
print $var;

Code called by form:

<?php
$path = 'myscript1.php';
$file = file_get_contents($path);
$var = $_GET['var'];
$block = '
    // valid php code that you put inside script (without <?php)
    // Alternatively you can grab the block of code
    // from a file with file_get_contents
    $var = ' . $var . ';';
$file = str_replace('//{%%DEFAULT VAR%%}', $var, $file); 

---

Here's a more complete (and complex) example...

myscript2.php

<?php
$var = '{%%DEFAULT VAR%%}';
$varb = 'another string with DEFAULT VAR inside just to test';
print $var;

Download script (called by the form)

<?php
$form = 
'<html>
    <head></head>
    <body>
        <form action="">
            <span>myVar</span><input type="text" id="var" name="var"/><br/>
            <input type="submit" value="download file"/>
        </form>
    </body>
</html>';

if (isset($_GET['var'])) {
    $var = $_GET['var'];
    $path = 'myscript2.php';
    $file = file_get_contents($path);

    // PART 1   
    /*
     * Tokenizer Approach (read http://php.net/manual/en/book.tokenizer.php)
     * Splits a php file into an Array with tokens (like the ZEND Engine Parser does)
     * Usefull for parsing and validating the PHP file
     * In this case we're just cheking if the script has
     * $var = {%%DEFAULT VAR%%}; somewhere but you can implement a more complex code to check 
     * complete statements or instructions!!! This is just for example's sake!
     * Skip this part if you don't need to validate the script
     */
    $tokens = token_get_all($file);
    if (!validatePHPScript($tokens)) {
        throw new Exception("script didn't pass validation");
    }
    //END PART 1

    // PART 2
    /*
     * The actual string replacement via str_replace
     * It actually just replaces a placeholder for anything
     * you want, in this case the $_GET['var'] value
     * You can actually replace a placeholder for a complete
     * block of code: just put the placeholder in the part you want
     * to insert and then comment it. #{‰‰PLACEHOLDER_NAME%%}
     * Then replace the placeholder with the comment tag
     *   
     */
      $file = str_replace('{%%DEFAULT VAR%%}', $var, $file);
    // END PART 2

    //PART 3
    /*
     * Serve the file to download through headers
     */
    header('Content-type: text/plain');
    header('Content-disposition: attachment; filename=myscript.php');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . strlen($file));
    ob_clean();
    flush();
    print $file;
    // END PART 3

} else {
    print $form;
}

---

validation function example:

//Validation example
function validatePHPScript(array $tokens)
{
    $max = count($tokens);

    $var_check = false;
    $operator_check = false;
    $string_check = false;
    $semicolon_check = false;

    // loop through all $tokens
    for ($i = 0; $i < $max; ++$i) {
        // only look for variables (tokens with type T_VARIABLE)
        if (is_array($tokens[$i]) && $tokens[$i][0] === T_VARIABLE) {
            // LOOK for a variable named $var
            if ($tokens[$i][1] === '$var') {
                // Found $var
                $var_check = true;

                // let's check if its an assignment statement
                // by looping through the remaining code until we find a colon
                for ($ii = $i +1; $ii < $max; ++$ii) {
                    // Look for the operator =
                    if ($tokens[$ii] === '=') {
                        $operator_check = true;

                    // Look for the string and check if it corresponds to the value
                    // we're going to replace
                    } else if ($operator_check && is_array($tokens[$ii]) && $tokens[$ii][0] === T_CONSTANT_ENCAPSED_STRING && $tokens[$ii][1] === "'{%%DEFAULT VAR%%}'") {
                        $string_check = true;

                    // Look for the statement end token (semicolon) 
                    } else if($string_check && $tokens[$ii] === ';') {
                        $semicolon_check = true;
                        break;
                    }
                }
                // All checks passed so we don't need to loop anymore
                if ($var_check && $operator_check && $string_check && $semicolon_check) {
                    return true;
                } else {
                    // reset checks
                    $var_check = false;
                    $operator_check = false;
                    $string_check = false;
                    $colon_check = false;
                }
            }
        }
    }
    return false;
}