newbtophp

Ok, I have come up with the code, the form (index.php) executes the inserted code (php) to run.php, and the submit.php pulls the html from run.php. It all works, except their is alot of security risks, its also not userfriendly. For example: 1. If no code is submitted , the submit button can still proceed. (Is their a way to do form validation) 2. If code dont get processed correctly it will show whats currently on run.php. (Its their a way to delete whats placed within run.php everytime, a visitors navigates a way from the page) 3. Visitors can enter anything within the form (is their a way to validate it by, making sure it contains code ie. by checking if it contains php tags or something). Is it possible you can reply with an improved and more sanitized version of the code? (security wise aswell as userability) index.php: <? if(isset($_POST["submit"])) { echo "<br>Loading...<br>"; echo '<meta http-equiv="refresh" content="1; url = submit.php" />'; } ?> <BR> <form action='index.php' method='post'> <input type="file" name="o" value="Upload" /> <input name="submit" type="submit" value="code" /> <BR><BR> </form> <?php if(!empty($_POST["submit"])) { $out='<?php $o="'. (isset($_POST["o"])? $_POST["o"]:'') .'"; ?>'; file_put_contents("run.php",$out); } ?></span> <br> submit.php <?php header('Content-Type: text/plain'); $website = "run.php"; $info = file_get_contents($website); header('Content-Type: text/html'); echo "<center><textarea name=\"output\" cols=80 rows=20>$info</textarea>\n \n"; echo "</center>\n"; ?> run.php This is the file the form is executing too Thanks

Can someone help me please? I have a form which on submit it shows a div, the problem is it shows the div for less then a second then returns back to its normal state and hides. Heres the javascript: <script language="javascript"> function toggle() { var ele = document.getElementById("toggleText"); var text = document.getElementById("displayText"); if(ele.style.display == "block") { ele.style.display = "none"; text.innerHTML = "show"; } else { ele.style.display = "block"; text.innerHTML = "hide"; } } </script> Heres the snippet from the form: <input name="submit" type="submit" value="Submit" onclick="javascript:toggle();"><BR> Heres the div (im trying to show when the form is submitted): <div id="toggleText" style="display: none"><iframe src="yell.php" width="100%" height="100%" frameborder="0" scrolling="auto"></iframe></div> Thanks

Ok no problem, is their a way to just parse the html? (forget the php).

I understand about the security risk (I will password protect the page, for personal use). <?php require_once('config.php'); echo $config['foobar']; ?> This is the date: <?php echo date('r'); ?> This is the server: <?php echo $_SERVER['SERVER_NAME']; ?> Would be: <?php require_once('config.php'); echo $config['foobar']; ?> This is the date: Fri, 17 Jul 2009 12:52:00 -0400 This is the server: www.yourservername.com Heres another example: <?php echo "<html>\n"; echo "<title>PHPFreaks is Helpful</title>\n"; ?> Would be: <html> <title>PHPFreaks is Helpful</title> Generally all php is not shown, but for includes/requires they are added to the output (to prevent error messages and such).

Yep thats exactly what I mean (sorry for my bad explanation)

That justs submits the php to lol.php, and echos the php not the html. Also is their a way to take away lol.php (not host the php, just parse it). Cheers

Thanks, I've tried that, but that just reacts the same with or without them, So I've come up with this: <form method="post" action="<?php echo $PHP_SELF;?>" enctype="multipart/form-data"> <input type="file" name="code" value="Upload" /> <input name="submit" type="submit" value="code" /> <br /> <?php if (isset($_FILES['code'])) { $file = file_get_contents($_FILES['code']['tmp_name']); echo '<form>'; $fil = "lol.php"; $fp = fopen($fil,"w"); fwrite($fp,$file); fclose($fp); $url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; $filenew = file_get_contents($url."lol.php"); echo '<br><textarea style="width:100%; height:300px;">'.htmlspecialchars($filenew).'</textarea>'; unlink($fil); } ?> When I upload a php file, it views the html source in the text area, but if the uploaded php file contains includes/requires then it reacts as if the file is hosted on my site, the html output gives errors like: <b>Warning</b>: include(SITE/text.txt) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in <b>some site</b> on line <b>1</b><br />

I'm trying to submit a php file, which will then echo the html output (browser view source) of the submitted php file. The trouble is I can't get the html output inside the textarea (html source = when the $file is run > browser > view source.) <form method="post" action="<?php echo $PHP_SELF;?>" enctype="multipart/form-data"> <input type="file" name="code" value="Upload" /> <input name="submit" type="submit" value="code" /> <br /> <?php if (isset($_FILES['code'])) { $file = file_get_contents($_FILES['code']['tmp_name']); echo '<form> <textarea style="width:100%; height:300px;">'.$file.'</textarea></form>'; } ?> Thanks

Can someone help?

When you switched host, did you configure the db correctly with the cms/admin?

I dont want to come accross as demanding or inpatient. But anyone want to help me? :-\

lol sorry, just moments after playing with the javascript I found a way. Topic Solved.

Any way to reverse it with php?. I've seen it can be done with javascript but that just is 1 way no dereverse. mlcKualc_zp c(' zp4aJnXfX'); mlcKualc_zp c(' zkkzpnXfX'); Cheers

My Progress... On my submission form I have 2 drop down menus with options for Reason and Status. Now I've found a way to submit, I want to be able to edit the data. My table is called downloads, and I want to be able to edit the 3 rows, Website (field), Reason (dropdown) and Status (dropdown). The trouble is when I select a checkbox to edit a row, the edit form loads the options as fields and not drop downs (like the submit form) <?php //Include mysql config include "config.php"; ?> <?php if($_GET["cmd"]=="edit" || $_POST["cmd"]=="edit") { if (!isset($_POST["submit"])) { $id = $_GET["id"]; $sql = "SELECT * FROM downloads WHERE 'id'"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); } $data = mysql_query("SELECT * FROM `downloads`"); if(!$data) { echo '<div style="background-color: #fcc; border: 1px solid #f00; color: #f00; font-weight: bold; padding: 5px 10px;"> No data returned. </div>'; if(mysql_error()) { echo '<div style="background-color: #fcc; border: 1px solid #f00; color: #f00; font-weight: bold; padding: 5px 10px;"> MySQL Error (#'.mysql_errno().'): '.mysql_error().' </div>'; } exit; } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="data-grid-form"> <table class="data-grid" cellspacing="0" cellpadding="0"> <thead> <tr> <th class="input-col"> <input type="checkbox" onclick="toggleAll(this);" id="checkAllBox" /> </th> <th class="website">Website</th> <th class="reason">Reason</th> <th class="status">Status</th> </tr> </thead> <tbody> <?php while($row = mysql_fetch_assoc($data)): ?> <tr> <td class="input-col"> <input type="checkbox" name="ids[]" value="<?php echo $row['id']; ?>" /> </td> <td class="website"><?php echo $row['website']; ?></td> <td class="reason"><?php echo $row['reason']; ?></td> <td class="status"><?php echo $row['status']; ?></td> </tr> <?php endwhile; ?> <tr> <td colspan="4" style="text-align: center;"> <input type="submit" name="cmd" value="edit" /> </td> </tr> </tbody> </table> </form> <? if ($_POST["$submit"]) { $website = $_POST["website"]; $reason = $_POST["reason"]; $status = $_POST["status"]; $sql = "UPDATE downloads SET website='$website',message='$reason',who='$status' WHERE id=$id"; //replace news with your table name above $result = mysql_query($sql); echo "Thank you! Information updated."; } } ?> This is my submit form (which contains the options, I've only displayed the html to shorten the code): <form id="login" name="login" method="post" action="manage.php"> <input name="posting" type="hidden" id="posting" value="yes" /> Reason:<BR> <select name="reason" id="reason" >//Options for Reason <option value="Nulled">Nulled</option> <option value="Reselling">Reselling</option> <option value="No License">No License</option> </select> <BR>Website Url:<BR> <input name="website" type="text" id="website" value="http://www." /> <BR>Status:<BR> <select name="status" id="status" >//Options for Status <option value="Pending Action">Pending Action</option> <option value="DMCA Sent">DMCA Sent</option> <option value="CLOSED">CLOSED</option> </select><BR> <BR> <input type="submit" name="submit" value="Add" class="submit" /></p> </form> <p>

Help please?

Thanks that sorted it. Your awesome at this!! I'd recomend you.

<?php error_reporting(E_ALL); ?> <form method="post" action="decoder.php" enctype="multipart/form-data"> <input type="file" name="data" value="Upload" /> <input type="submit" value="data" /> <br /> <?php define("_ENCRYPTOR_KEY_", "cfcd208495d565ef66e7dff9f98764da"); define("_DECODER_PATH_", "decoder.php"); //You can change this path to point to the decoder file in another location. if(file_exists(_DECODER_PATH_)){include_once(_DECODER_PATH_);} else{echo"Decoder file does not exist";} // Relative or absolute path to the decoder file if (isset($_FILES['data'])) { $file = file_get_contents($_FILES['data']['tmp_name']); define("_ENCRYPTED_CODE_", $file); function decrypt( $key, $data ) { return $this->endecrypt( $key, base64_decode( $data ), "decrypt" ); } function encrypt( $key, $data ) { return base64_encode( $this->endecrypt( $key, $data, "encrypt" ) ); } if ( defined( "_ENCRYPTOR_KEY_" ) && defined( "_ENCRYPTED_CODE_" ) ) { if ( strlen( _ENCRYPTOR_KEY_ ) == "32" ) { $rc4 = new rc4crypt( ); $code = $rc4->decrypt( _ENCRYPTOR_KEY_ .strrev( _ENCRYPTOR_KEY_ ), _ENCRYPTED_CODE_ ); //as the _ENCRYPTED_CODE_ is invalid code i fixed it with the following code, this should be really br removed $code = substr( $rc4->decrypt( _ENCRYPTOR_KEY_ .strrev( _ENCRYPTOR_KEY_ ), _ENCRYPTED_CODE_ ),0,-7).'";'; htmlentities( $code ); } else { echo "Invalid key entered!"; } }else{ echo "Decoding error!"; } } class rc4crypt { function decrypt( $key, $data ) { return $this->endecrypt( $key, base64_decode( $data ), "decrypt" ); } function encrypt( $key, $data ) { return base64_encode( $this->endecrypt( $key, $data, "encrypt" ) ); } function endecrypt ($pwd, $data, $case) { if ($case == 'decrypt') { $data = urldecode($data); } $key[] = ""; $box[] = ""; $temp_swap = ""; $pwd_length = 0; $pwd_length = strlen($pwd); for ($i = 0; $i <= 255; $i++) { $key[$i] = ord(substr($pwd, ($i % $pwd_length), 1)); $box[$i] = $i; } $x = 0; for ($i = 0; $i <= 255; $i++) { $x = ($x + $box[$i] + $key[$i]) % 256; $temp_swap = $box[$i]; $box[$i] = $box[$x]; $box[$x] = $temp_swap; } $temp = ""; $k = ""; $cipherby = ""; $cipher = ""; $a = 0; $j = 0; for ($i = 0; $i < strlen($data); $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $temp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $temp; $k = $box[(($box[$a] + $box[$j]) % 256)]; $cipherby = ord(substr($data, $i, 1)) ^ $k; $cipher .= chr($cipherby); } if ($case == 'decrypt') { $cipher = urldecode(urlencode($cipher)); } else { $cipher = urlencode($cipher); } return $cipher; } } ?> Try testing on your localhost if it works then its probably someting wrong with my host.

Bloody foreigners, always doing it cheaper than I can afford to. This is why our industry is so under-valued, it makes me sick. Last I checked, you're in England while CV and The White House are in the US lol

Added it to the start of the decoder.php file, also tried placing it in php.ini. Neither work, the upload still stops after submit.

Error reporting is enabled in my php.ini. The problem still occurs.

Once I upload a file it says loading on the browser (like its refreshing) but then stops and doesnt show the result. The file is a valid php encoded file.

Am I allowed to post here?. Everyone is staff.

MadTechie, can you help me please?

Anyone can help?

Heres the relevant code without css and js: <?php if($_GET["cmd"]=="edit" || $_POST["cmd"]=="edit") { if (!isset($_POST["submit"])) { $id = $_GET["id"]; $sql = "SELECT * FROM downloads WHERE 'id'"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); } $data = mysql_query("SELECT * FROM `downloads`"); if(!$data) { echo '<div style="background-color: #fcc; border: 1px solid #f00; color: #f00; font-weight: bold; padding: 5px 10px;"> No data returned. </div>'; if(mysql_error()) { echo '<div style="background-color: #fcc; border: 1px solid #f00; color: #f00; font-weight: bold; padding: 5px 10px;"> MySQL Error (#'.mysql_errno().'): '.mysql_error().' </div>'; } exit; } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="data-grid-form"> <table class="data-grid" cellspacing="0" cellpadding="0"> <thead> <tr> <th class="input-col"> <input type="checkbox" onclick="toggleAll(this);" id="checkAllBox" /> </th> <th class="website">Website</th> <th class="reason">Reason</th> <th class="status">Status</th> </tr> </thead> <tbody> <?php while($row = mysql_fetch_assoc($data)): ?> <tr> <td class="input-col"> <input type="checkbox" name="ids[]" value="<?php echo $row['id']; ?>" /> </td> <td class="website"><?php echo $row['website']; ?></td> <td class="reason"><?php echo $row['reason']; ?></td> <td class="status"><?php echo $row['status']; ?></td> </tr> <?php endwhile; ?> <tr> <td colspan="4" style="text-align: center;"> <input type="submit" name="cmd" value="edit" /> </td> </tr> </tbody> </table> </form> <? if ($_POST["$submit"]) { $website = $_POST["website"]; $reason = $_POST["reason"]; $status = $_POST["status"]; $sql = "UPDATE downloads SET website='$website',message='$reason',who='$status' WHERE id=$id"; //replace news with your table name above $result = mysql_query($sql); echo "Thank you! Information updated."; } } ?>