dynamic PHP lines of code

chatterbagz

I've been working with Flash and PHP, and I wanted to write actual lines of PHP code from Flash. Is something like this possible?

'Thanx!

chatterbagz

Sorry I wasn't clear.

Can a variable be an Actual line of code?
Say, $test has a value of "echo "this is a dynamic line of code!";

I can't get it to work yet....

Hiccup

It's possible...

$test = "echo \"This line of code.\"";

As far as that variable working in a php code, I'd be interested to know the answer myself...

chatterbagz

Thanks hiccup,

I'm still working on it. Hopefully I can get it to work- it would save me alot of coding.

chatterbagz

...Can't get it to work the way I want.

I know a little Flash and a little PHP, but it's obviously not enough.

I'm just trying to something that seems to be simple, but I can't figure it out.

I can send my variables successfully from Flash to PHP, but I'm looking for a simple PHP line that would make a Posted variable an actual line of code.

Here's how I envisioned it simply:

<?php
$test = $HTTP_POST_VARS['test'];
$test
?>

where $test has a value of-
echo "it works";

which was sent from flash.

Do you see what I'm trying to do?

I have an unlimited amount of instances in Flash that would send a different value of "test" to the PHP $test.
These values would range from echo statements to simple MySQL queries and returns.

Or am I going to have to write an enormous amount of specific variables?

-preesh!

statrat

http://www.php.net/manual/en/function.eval.php
"eval -- Evaluate a string as PHP code"

<?php
$test = $HTTP_POST_VARS['test'];
eval($test)
?>

"There are some factors to keep in mind when using eval(). Remember that the string passed must be valid PHP code, including things like terminating statements with a semicolon so the parser doesn't die on the line after the eval(), and properly escaping things in code_str. "

Weedpacket

And another thing about eval() that should be kept in mind: if the string you're giving it is coming from the client in any way, DON'T TRUST IT!

Otherwise what you're dong is in effect giving everyone in the world permission to run any program they like on your computer. Once people get a whiff of the fact that you're taking PHP code supplied from client machines (and they will), you'll start seeing requests coming in to your server containing code to reformat your hard drive.

Doesn't matter if you're using Flash to put together the code and that you've ensured that it is only sending safe code: all the server sees is an HTTP request, any part of which could be bogus. You can just hear your mother saying "Get that out of there this instant! You don't even know where it's been!" She's right.

Safer to allow only a limited selection of functions, and have the Flash program send just the arguments and the name of the function to use. That way you can examine them to see if they're safe before trying to use them.

chatterbagz

Interesting...

But, if I'm only using a published .swf file to generate and send the code to the PHP docuement, am I still to be worried?
Are you talking about someone cracking my .swf file and then using that to send harmful code to the PHP document?

That would require hacking into my webserver right? Or am I missing something?

If I have an eval() line of code in a PHP document, does that leave the door open for everyone?

Sorry for all of the questions, I'm just interested in the security of this.

Weedpacket

No, no cracking into your .swf is necessary; it's doable and can make things easier, but all one needs to do is look at the http requests it is sending to the server. Something like

POST http://www.example.com/script.php HTTP/1.0
Proxy-Connection: Keep-Alive
User-Agent: Flash 5
Host: www.example.com
Content-type: application/x-www-form-urlencoded
Content-length: 37

code=system%28%22format+c%3A%22%29%3B

...to pick a pretty trivial payload (it's easy enough to figure out what OS a given server is running on, if you're wondering). More cunning attacks are left as exercises for the reader.
Now the thing is, I wrote that by hand off the top of my head. It would only take a look at a real request as generated by the swf as it departs Flash and heads off toward the server to replace the bits I made up (such as the User Agent header) with the genuine article, and hence slip whatever PHP code I wanted into the request.

It's no good just looking for particular "dangerous" pieces of code, either, for reasons that a search of Google on the word "japh" will hint at.

Now if you were to build some high-grade encryption software into both your Flash and PHP scripts, then they can communicate a bit more securely (just because I can read the code to the Blowfish cipher doesn't mean I'm therefore able to break it), but from what I can see it really wouldn't be worth the bother (or bloat); just clamp down and allow only certain operations; once you do that you don't need to expose the full generality of eval() to the world.

chatterbagz

Thanks for the information. You're tha man.