Reputation: 704
Using eval in PHP
I have a file "xxx.php" which has HTML and PHP code in it. When I use include("xxx.php"); it's fine and it works as expected. But I am developing a system where I cannot use include but I can use file_get_contents().
The problem is that if I do echo file_get_contents("xxx.php") it shows the entire source code whithout interpreting the PHP.
So I did a lot of research and I discovered that I could use eval() to run the PHP code. The problem is that "xxx.php" has php and HTML code. I tried:
eval(file_get_contents("xxx.php"));
But the HTML is not shown. Example of the xxx.php:
<?php
echo "HELLO";
?>
<b>HELLO BOLD</b>
<?php
echo "BYE";
?>
The problem is that the eval does not show any HELLO!
Upvotes: 0
Views: 1167
Answers (3)
Reputation: 32082
Prepend "?>\n" to the PHP code (to go into HTML mode) before evaling it:
eval("?>\n" . file_get_contents("xxx.php"));
And fix the security problems in your CMS so you won't have to resort to such drastic measures to dodge the script kiddies' attacks.
Upvotes: 2
Reputation: 360702
echo file_get_contents() showing the code is to be expected. f_g_c() does not EXECUTE anything it retrieves. It simply slurps the bytes from the disk and returns them as a string. That's why you need eval().
As well, when you eval() code, you should NOT include the <?php delimiters. e.g.
php > eval('2+2;'); // no return, no echo, so no output
php > eval('echo 2+2;');
4
php > eval('<?php echo 2+2;');
PHP Parse error: syntax error, unexpected '<' in php shell code(1) : eval()'d code on line 1
php >
comment follow up:
just treat anything you feed to eval as if it was a normal PHP script that just so happens to have a <?php opening tag magically applied to it:
php > eval('?> foo <?php echo 2+2;');
foo 4
If you exit PHP mode as the first thing in the eval block, eval will just treat that text as normal output, just like a full-blown PHP script would
Upvotes: 2
Reputation: 24645
For the love of <insert diety here> don't do this.... but your code is failing because you need to remove the <?php from the top of the eval.
Eval expects php code so the <?php and ?> as assumed.
What you are doing here is not securing your site but making it easier to hack.
Upvotes: 0
Related Questions
- How to write a variable in a double quoted string to be treated as a variable by eval()
- PHP: Equivalent of include using eval
- How to run code through eval?
- How can I safely use eval in php?
- Using Eval to include remote php file
- Using PHP Tags in eval()
- Include external code in php
- PHP - eval() problem
- Eval() problem in PHP
- getting external variables via file - eval/include