Submit file and echo

newbtophp · July 16, 2009

I'm trying to submit a php file, which will then echo the html output (browser view source) of the submitted php file.

The trouble is I can't get the html output inside the textarea (html source = when the $file is run > browser > view source.)

<form method="post" action="<?php echo $PHP_SELF;?>" enctype="multipart/form-data">
<input type="file" name="code" value="Upload" /> 
<input name="submit" type="submit" value="code" />
<br />

<?php

if (isset($_FILES['code'])) {
$file = file_get_contents($_FILES['code']['tmp_name']);

echo '<form>
<textarea style="width:100%; height:300px;">'.$file.'</textarea></form>';
}
?>

Thanks

rhodesa · July 16, 2009

try

echo '<form><textarea style="width:100%; height:300px;">'.htmlspecialchars($file).'</textarea></form>';

newbtophp · July 17, 2009

Thanks, I've tried that, but that just reacts the same with or without them,

So I've come up with this:

<form method="post" action="<?php echo $PHP_SELF;?>" enctype="multipart/form-data">
<input type="file" name="code" value="Upload" /> 
<input name="submit" type="submit" value="code" />
<br />

<?php

if (isset($_FILES['code'])) {
$file = file_get_contents($_FILES['code']['tmp_name']);

echo '<form>';
$fil = "lol.php";
$fp = fopen($fil,"w");
fwrite($fp,$file);
fclose($fp);
$url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$filenew = file_get_contents($url."lol.php");
echo '<br><textarea style="width:100%; height:300px;">'.htmlspecialchars($filenew).'</textarea>';
unlink($fil);
}
?>

When I upload a php file, it views the html source in the text area, but if the uploaded php file contains includes/requires then it reacts as if the file is hosted on my site, the html output gives errors like:

<b>Warning</b>:  include(SITE/text.txt) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in <b>some site</b> on line <b>1</b><br />

rhodesa · July 17, 2009

you don't want he URL to the file, you want the local file system path (which is $fil). by using the full URL it's actually getting it through the web, and since it's a PHP file, your webserver is processing it:

<form method="post" action="<?php echo $PHP_SELF;?>" enctype="multipart/form-data">
<input type="file" name="code" value="Upload" /> 
<input name="submit" type="submit" value="code" />
<br />

<?php

if (isset($_FILES['code'])) {
$fil = "lol.php";
move_uploaded_file($_FILES['code']['tmp_name'],$fil);

echo '<form>';
$filenew = file_get_contents($fil);
echo '<br><textarea style="width:100%; height:300px;">'.htmlspecialchars($filenew).'</textarea>';
unlink($fil);
}
?>

newbtophp · July 17, 2009

That justs submits the php to lol.php, and echos the php not the html.

Also is their a way to take away lol.php (not host the php, just parse it).

Cheers

rhodesa · July 17, 2009

So...you want the PHP in the file parsed? If I upload the following file:

This is the date: <?php echo date('r'); ?>
This is the server: <?php echo $_SERVER['SERVER_NAME']; ?>

You want that text in the textarea to be:

This is the date: Fri, 17 Jul 2009 12:52:00 -0400
This is the server: www.yourservername.com

??

newbtophp · July 17, 2009

So...you want the PHP in the file parsed? If I upload the following file:
This is the date: <?php echo date('r'); ?>
This is the server: <?php echo $_SERVER['SERVER_NAME']; ?>
You want that text in the textarea to be:
This is the date: Fri, 17 Jul 2009 12:52:00 -0400
This is the server: www.yourservername.com
??

Yep thats exactly what I mean (sorry for my bad explanation)

rhodesa · July 17, 2009

First off...this is a HUGE (and by HUGE I mean HUGE) security risk. You are allowing anyone to put PHP code on your server and run it. They could delete files, steal information, do pretty much anything.

That being said, the way you are doing it with the URL would work, so would using eval(). But you will always have a problem with includes. Keep on your example basis, what should the output of the following look like if I uploaded it:

<?php
  require_once('config.php');
  echo $config['foobar'];
?>
This is the date: <?php echo date('r'); ?>
This is the server: <?php echo $_SERVER['SERVER_NAME']; ?>

newbtophp · July 17, 2009

I understand about the security risk (I will password protect the page, for personal use).

<?php
  require_once('config.php');
  echo $config['foobar'];
?>
This is the date: <?php echo date('r'); ?>
This is the server: <?php echo $_SERVER['SERVER_NAME']; ?>

Would be:

<?php
  require_once('config.php');
  echo $config['foobar'];
?>
This is the date: Fri, 17 Jul 2009 12:52:00 -0400
This is the server: www.yourservername.com

Heres another example:

<?php
echo "<html>\n"; 
echo "<title>PHPFreaks is Helpful</title>\n";
?>

Would be:

<html>
<title>PHPFreaks is Helpful</title>

Generally all php is not shown, but for includes/requires they are added to the output (to prevent error messages and such).

rhodesa · July 17, 2009

I can't think of any way to parse just some of the PHP code

newbtophp · July 17, 2009

I can't think of any way to parse just some of the PHP code

Ok no problem, is their a way to just parse the html? (forget the php).

rhodesa · July 17, 2009

parse the HTML? Just echo the contents inside a div without htmlspecialchars()

can you back up and just explain what you are trying to accomplish with this? there might be a better/easier way that we are missing

newbtophp · July 22, 2009

Ok, I have come up with the code, the form (index.php) executes the inserted code (php) to run.php, and the submit.php pulls the html from run.php.

It all works, except their is alot of security risks, its also not userfriendly.

For example:

1. If no code is submitted , the submit button can still proceed. (Is their a way to do form validation)

2. If code dont get processed correctly it will show whats currently on run.php. (Its their a way to delete whats placed within run.php everytime, a visitors navigates a way from the page)

3. Visitors can enter anything within the form (is their a way to validate it by, making sure it contains code ie. by checking if it contains php tags or something).

Is it possible you can reply with an improved and more sanitized version of the code? (security wise aswell as userability)

index.php:

<?
if(isset($_POST["submit"]))
{
	echo "<br>Loading...<br>";
echo '<meta http-equiv="refresh" content="1; url = submit.php" />';
}
?>
<BR>


<form action='index.php' method='post'>
<input type="file" name="o" value="Upload" /> 
<input name="submit" type="submit" value="code" />
<BR><BR>

</form>


<?php

if(!empty($_POST["submit"]))
{
$out='<?php
$o="'. (isset($_POST["o"])? $_POST["o"]:'') .'";
?>';
file_put_contents("run.php",$out);
}
?></span>
<br>

submit.php

<?php

header('Content-Type: text/plain');
$website = "run.php";
$info = file_get_contents($website);
header('Content-Type: text/html');
echo "<center><textarea name=\"output\" cols=80 rows=20>$info</textarea>\n \n"; 
echo "</center>\n";
?>

run.php

This is the file the form is executing too

Thanks

newbtophp · July 23, 2009

Anyone can help?

Sign In

Submit file and echo

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information