[RESOLVED] Disabling PHP code execution (help!)

Senzuri

hey, first post here! 🆒
I was wondering if anyone could possibly help me with this.

I have made up a script on my website that displays a text box area that can be edited. (Basically for copy and pasting large text messages to friends) I finished setting it up, and I was sorta happy with the end result, but then I tried to execute PHP code within this, and it allowed it :queasy:

These are the files that I'm using:
dump.php (To display and change the text)
post.php (To phrase the text to a .txt document)
text.txt (The file that stores the text)

The form on dump.php is as follows:

<form id="form1" name="form1" method="post" action="post.php">
	<label>
	<textarea name="textfield" cols="100" rows="25"><?php include_once("./stats/text.txt"); ?>
	</textarea>
	<div align="left"></div>
	<input type="submit" value="Save" />
	</p>
	</label>
</form>

and my post.php is as follows:

<?php
	if(isset($_POST['textfield']))
	{
		$File = "./stats/text.txt";
		$Handle = fopen($File, 'w');
		$Data = "{$_POST['textfield']}\n";
		fwrite($Handle, $Data);
		fclose($Handle);
		header( 'Location: dump.php' ) ;
	}
?>

The question here was to try and disable execution of PHP code within this. If anyone could help me out that would be great, thanks! 🆒

laserlight

Use say, [man]htmlspecialchars/man or [man]htmlentities/man.

Piranha

You should use [man]htmlspecialchars[/man] on every variable that you insert in the HTML page that you don't want to be treated as HTML/PHP.

But that won't help you since you include the file. A strange way of doing it I have to say, a database would be much better. If you for some reason really want to use files I think that [man]readfile[/man] or [man]file_get_contents[/man] is what you need.

laserlight

But that won't help you since you include the file.

I believe it will, since the PHP start tag would also be modified.

Senzuri

Thanks for the fast replies!

Piranha, I don't really mind which method is used to store the text. The database idea sounds great, although I wouldn't really know how to code something like that up :queasy:

If anyone could provide me with further assistance that would be awesome!

Senzuri

Thank you, Piranha the "readfile" function worked well!
Edit: Now this is happening :glare:
When I type into the textfield

<?php echo("test"); ?>

I get this instead <?php echo(\"test\"); ?>
Can anyone help me out?

laserlight

You probably have magic_quotes_gpc set to On, so you have to use [man]stripslashes/man. If possible, turn it off (the setting is in php.ini).

Senzuri

laserlight wrote:
You probably have magic_quotes_gpc set to On, so you have to use [man]stripslashes/man. If possible, turn it off (the setting is in php.ini).

Yep, it's turned on. I tried doing the following, but it didn't seem to work:

<?php
  $rd = readfile("./stats/text.txt");
  stripslashes($rd); ?>

What am I doing wrong? 🙁

laserlight

I suggest using stripslashes() before you write to the file. You can use it after you read from the file, but here readfile() outputs the file immediately, so you do not have such a chance.

Senzuri

Sorry, I realized that I was meant to edit the 'post.php' file instead.
I changed this line and it worked!

$Data = stripslashes("{$_POST['textfield']}");

Thanks laserlight and Piranha! You have both been very helpful

bradgrafelman

Don't forget to mark this thread resolved.

Piranha

laserlight wrote:
I believe it will, since the PHP start tag would also be modified.

I don't believe so since include will evaluate the file and not just copy the contents to a variable. I can't see any way to use include but do other things before including, please show me if you can think of it.

laserlight

I don't believe so since include will evaluate the file and not just copy the contents to a variable.

If you read the PHP manual on [man]include[/man], you would find that:

When a file is included, parsing drops out of PHP mode and into HTML mode at the beginning of the target file, and resumes again at the end. For this reason, any code inside the target file which should be executed as PHP code must be enclosed within valid PHP start and end tags.

Piranha

Ok, then we just understood it differentley. I thought that Senzuri wanted to have the ability to show php code, ie include a file with <?php and ?>.

laserlight

Oh, I think you missed: "I was sorta happy with the end result, but then I tried to execute PHP code within this, and it allowed it :queasy: "

Piranha

Not at all. I interperated it like he didn't want the PHP code to be executed, that's why he was not happy when it was executed.

bradgrafelman

Also note that a better solution is to turn off magic_quotes_gpc.