469,315 Members | 2,189 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,315 developers. It's quick & easy.

A tool to execute PHP scripts

I am looking for a tool to execute PHP scripts
entered in a HTML form. For example: user is
given a problem to solve. He writes a PHP script,
sends it to a server, where it is executed
and results are send back to the user. Are
such tools available at all?

Thanks in advance.

Marek Kotowski
Warsaw
Jul 17 '05 #1
37 9502
Marek Kotowski wrote:
I am looking for a tool to execute PHP scripts
entered in a HTML form. For example: user is
given a problem to solve. He writes a PHP script,
sends it to a server, where it is executed
and results are send back to the user. Are
such tools available at all?

Thanks in advance.

Marek Kotowski
Warsaw


PHP's eval() should do the trick.
But be afraid, be *very* afraid to use it with user input :)

http://www.php.net/eval
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #2
On Tue, 06 Jan 2004 01:54:13 -0800, Marek Kotowski wrote:
I am looking for a tool to execute PHP scripts entered in a HTML form. For
example: user is given a problem to solve. He writes a PHP script, sends
it to a server, where it is executed and results are send back to the
user. Are such tools available at all?

Thanks in advance.

Marek Kotowski
Warsaw

Sure... SCP... RSYNC... FTP.....................

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

Jul 17 '05 #3
On Tue, 06 Jan 2004 12:21:57 +0000, Ian.H wrote:
On Tue, 06 Jan 2004 01:54:13 -0800, Marek Kotowski wrote:
I am looking for a tool to execute PHP scripts entered in a HTML form.
For example: user is given a problem to solve. He writes a PHP script,
sends it to a server, where it is executed and results are send back to
the user. Are such tools available at all?

Thanks in advance.

Marek Kotowski
Warsaw

Sure... SCP... RSYNC... FTP.....................

Apologies.. forgot about the "HTML form".

The "tool" you're looking for is umm... 'php'?

- Upload script through form
- Upload script either uses system() etc or redirects to script for web
output
- Browser displays results

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

Jul 17 '05 #4
"Ian.H" <ia*@WINDOZEdigiserv.net> wrote in message
news:pa***************************@hybris.digiserv .net...
On Tue, 06 Jan 2004 12:21:57 +0000, Ian.H wrote:
On Tue, 06 Jan 2004 01:54:13 -0800, Marek Kotowski wrote:
I am looking for a tool to execute PHP scripts entered in a HTML form.
For example: user is given a problem to solve. He writes a PHP script,
sends it to a server, where it is executed and results are send back to
the user. Are such tools available at all?

Thanks in advance.

Marek Kotowski
Warsaw

Sure... SCP... RSYNC... FTP.....................

Apologies.. forgot about the "HTML form".

The "tool" you're looking for is umm... 'php'?

- Upload script through form
- Upload script either uses system() etc or redirects to script for web
output
- Browser displays results

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.


All doable, check out my site, there is a section called PHP Now, it lets
you type in php code that gets run on the server, and the results returned,
but as was stated earlier, be afraid! I can bring stuff down very easy, and
expose stuff realy easy too. I am still locking my PHP Now page every day
almost.
--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #5

"CountScubula" <me@scantek.hotmail.com> wrote in message
news:tG*****************@newssvr27.news.prodigy.co m...
"Ian.H" <ia*@WINDOZEdigiserv.net> wrote in message
news:pa***************************@hybris.digiserv .net...
On Tue, 06 Jan 2004 12:21:57 +0000, Ian.H wrote:
On Tue, 06 Jan 2004 01:54:13 -0800, Marek Kotowski wrote:

> I am looking for a tool to execute PHP scripts entered in a HTML form.> For example: user is given a problem to solve. He writes a PHP script,> sends it to a server, where it is executed and results are send back to> the user. Are such tools available at all?
>
> Thanks in advance.
>
> Marek Kotowski
> Warsaw
Sure... SCP... RSYNC... FTP.....................

Apologies.. forgot about the "HTML form".

The "tool" you're looking for is umm... 'php'?

- Upload script through form
- Upload script either uses system() etc or redirects to script for web
output
- Browser displays results

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.


All doable, check out my site, there is a section called PHP Now, it lets
you type in php code that gets run on the server, and the results

returned, but as was stated earlier, be afraid! I can bring stuff down very easy, and expose stuff realy easy too. I am still locking my PHP Now page every day
almost.
--
Mike Bradley
http://www.gzentools.com -- free online php tools


Greetings,

Just read today of something called IndigoPerl. Supposed to run on all
sorts
of platforms. Non-invasive install and free. Let's you run an Apache server
and PHP
scripts on your own computer so you don't have to upload and all that to
test.

Ray
Jul 17 '05 #6
CountScubula wrote:
... I am still locking my PHP Now page every day almost.

lock backticks!

Ah, you've already done it :)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #7
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
CountScubula wrote:
... I am still locking my PHP Now page every day almost.

lock backticks!

Ah, you've already done it :)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--


ok, that was you,
not to cool, you tried to have the server dump out its own php page
(phpnow.php)
I had black listed you, I will remove it since you actualy posted here to
let be know of a flaw.
--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #8
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
CountScubula wrote:
... I am still locking my PHP Now page every day almost.

lock backticks!

Ah, you've already done it :)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--


btw

you server is dumping out too much info, it shows what it accepts

Unsupported request method.
The Methods supported are ,
GET, POST, HEAD, PUT, TRACE, DELETE, OPTIONS, CONNECT, PURGE, NETHCMD,
PROPFIND, PROPPATCH, MKCOL, COPY, DELETE, MOVE, LOCK, UNLOCK, BIND, BMOVE,
BCOPY, BDELETE, BPROPFIND, BPROPPATCH, SEARCH, SUBSCRIBE, UNSUBSCRIBE, POLL,
SUBSCRIPTIONS, ACL, NOTIFY, INVOKE
...
...
Generated Tue, 06 Jan 2004 14:00:26 GMT by
(<a href="http://www.cisco.com/">Application and Content Networking System
Software 5.0.5</a>)


--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #9
CountScubula wrote:
"Pedro Graca" <he****@hotpop.com> wrote in message
CountScubula wrote:
> ... I am still locking my PHP Now page every day almost.
lock backticks!
ok, that was you,
not to cool, you tried to have the server dump out its own php page
(phpnow.php)
Well ... I never intended to (or know how to) hack/crack your server.
Just tried backticks to see what would happen :)

Then I tried file(), file_get_contents(), highlight_file()
but they all were locked.
I had black listed you, I will remove it since you actualy posted here to
let be know of a flaw.


It never occurred to me that I could no longer use backticks because I
was blocked ... hope you solved the situation before my posting and had
no other tries of exploits with backticks.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #10
CountScubula wrote:
you server is dumping out too much info, it shows what it accepts Unsupported request method.
The Methods supported are ,
GET, POST, HEAD, PUT, TRACE, DELETE, OPTIONS, CONNECT, PURGE, NETHCMD,
PROPFIND, PROPPATCH, MKCOL, COPY, DELETE, MOVE, LOCK, UNLOCK, BIND,
BMOVE,
BCOPY, BDELETE, BPROPFIND, BPROPPATCH, SEARCH, SUBSCRIBE, UNSUBSCRIBE,
POLL,
SUBSCRIPTIONS, ACL, NOTIFY, INVOKE


Thank you. I have now read a bit more of the Apache documentation, and
tried a <Limit> thing but don't know if it had the effect of turning
most methods unsupported.

How did you get that list?
I searched a bit on cisco.com (without registering) but couldn't find it
there.

PS. <me@scantek.hotmail.com> is an invalid address
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #11
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...

Well ... I never intended to (or know how to) hack/crack your server.
Just tried backticks to see what would happen :)

Then I tried file(), file_get_contents(), highlight_file()
but they all were locked.
I had black listed you, I will remove it since you actualy posted here to let be know of a flaw.


It never occurred to me that I could no longer use backticks because I
was blocked ... hope you solved the situation before my posting and had
no other tries of exploits with backticks.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--


:) as long as you did it openly, I am ok with it, boy did it keep me on my
toes! The PHP now script logs entry off commands so I can see if there is
any abuse, and what to try and lock.

you were the first backtick person. I have had some doosies, some people
have no idea what they are doing,

Backticks was something I overlooked, I use them all the time, and have no
idea why I overlooked locking those down.

Well, I thought you were on a info gathering mission, from some of the
commands that scrolled by:
`ls`
`uname -a`
print implode("","phpnow.php");
--you were doing it methodicly

I wrote a section of code to black list as you were trying the commands
its funny, my own encoder was able to get past my locking of the commands,
but thats locked too now.

take care, and thanks for waking/shaking me up ;)

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #12
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
CountScubula wrote:
you server is dumping out too much info, it shows what it accepts

Unsupported request method.
The Methods supported are ,
GET, POST, HEAD, PUT, TRACE, DELETE, OPTIONS, CONNECT, PURGE, NETHCMD,
PROPFIND, PROPPATCH, MKCOL, COPY, DELETE, MOVE, LOCK, UNLOCK, BIND,
BMOVE,
BCOPY, BDELETE, BPROPFIND, BPROPPATCH, SEARCH, SUBSCRIBE, UNSUBSCRIBE,
POLL,
SUBSCRIPTIONS, ACL, NOTIFY, INVOKE


Thank you. I have now read a bit more of the Apache documentation, and
tried a <Limit> thing but don't know if it had the effect of turning
most methods unsupported.

How did you get that list?
I searched a bit on cisco.com (without registering) but couldn't find it
there.

PS. <me@scantek.hotmail.com> is an invalid address
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Well, when it apears somone is hacking me (i know you were not after all), I
monitor them, and imediatly start looking at who they are, were they are
comming from, what routers they are going through, data in their packets.
what services are running on thier IP (router/firewall/server/machine)

I did a simple

telnet your_ip 80

and hit enter 2 times, and waited for a default bad method answer

then

telnet your_ip 80

GET / HTTP/1.1

to see the default page

psssst. I also looked at your ftp server :)

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #13
CountScubula wrote:
:) as long as you did it openly, I am ok with it, boy did it keep me on my
toes! The PHP now script logs entry off commands so I can see if there is
any abuse, and what to try and lock. I have another peculiar hacking/cracking idea :-)
Well, I thought you were on a info gathering mission, from some of the
commands that scrolled by:
`ls` First thing that crossed my mind
`uname -a` Ah! `ls` worked :) -- Let's see what machine he has (I remembered this from
some of my reading)
But then I don't know what to do with the information (lol).
print implode("","phpnow.php"); Trying to see a php source
--you were doing it methodicly with the several functions I thought of
I wrote a section of code to black list as you were trying the commands Wouldn't it be easier to
root# iptables -I INPUT -s <my_ip> -j DROP
take care, and thanks for waking/shaking me up ;)

I feel confident my last idea works -- feel afraid, feel *very* afraid

.... Will only test it when you return from your scuba diving
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #14
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
Wouldn't it be easier to
root# iptables -I INPUT -s <my_ip> -j DROP
take care, and thanks for waking/shaking me up ;)

I feel confident my last idea works -- feel afraid, feel *very* afraid

... Will only test it when you return from your scuba diving
--


well, i'm back, I am only 150 yards from the beach. (today that is, I am
kicking back at an office I am setting up for a friend, he is a scuba
instructor)

true iptables would be faster, but I wanted others from the same IP to
access the machine. I didn't know if you owned it or if it was a
router/firewall

You know more than you let on, most people have no idea how to use iptables,
let alone that the command exists. I think you hacking ability is more than
you let on, kudos. This is what makes things better in my opinion.

Ok, you got me a little nervous, you have a new idea?
--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #15
suprissed you havn't tried to hack my aol im bot: screen name: 'gzentools'

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #16
Well, I am headed to fill my tanks, then head home,

We should compare notes sometime.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #17
CountScubula wrote:
Well, when it apears somone is hacking me (i know you were not after all), I
monitor them, and imediatly start looking at who they are, were they are
comming from, what routers they are going through, data in their packets.
what services are running on thier IP (router/firewall/server/machine) I did a simple telnet your_ip 80 and hit enter 2 times, and waited for a default bad method answer Ah! I got it! You were interested in my *^&#@_! ISP proxy server :)
My ip is not the one that appears on your Apache (or whatever) logs

All of the people in/around my city using the cable company I'm using
for an ISP will have that same ip.
psssst. I also looked at your ftp server :)


I do not have FTP open!
In fact I only have these ports open: 113, 25, 80, 22, 443, and sometimes 8080
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #18
CountScubula wrote:
well, i'm back, I am only 150 yards from the beach. (today that is, I am Ok, you got me a little nervous, you have a new idea?


And it works!!!!!!!!
patch your phpnow script! :-)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #19
I (Pedro Graca) wrote:
And it works!!!!!!!!
patch your phpnow script! :-)


$out = str_replace("gZen PHP Interpeter ","gZen PHP Interpeter ",$out);
$out = str_replace("","",$out);
What's this for? :)
some leftovers from a previous version?
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #20
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
I (Pedro Graca) wrote:
And it works!!!!!!!!
patch your phpnow script! :-)


$out = str_replace("gZen PHP Interpeter ","gZen PHP Interpeter ",$out);
$out = str_replace("","",$out);
What's this for? :)
some leftovers from a previous version?
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--


those didnt come out right, but there are to prevent the dir structure from
being revealed if there is an error in the users code.

The preg_replace, that was good, kudos on that one!

is that the only command to allow /e or does it work on any of the regex?
That was good, I am still having fun with ideas on that one!
--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #21
hey, you know linux,

what was the command to start a proccess, and if it dies, have it
automaticaly restart?
as in 'respawn' in inittab?

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
I (Pedro Graca) wrote:
And it works!!!!!!!!
patch your phpnow script! :-)


$out = str_replace("gZen PHP Interpeter ","gZen PHP Interpeter ",$out);
$out = str_replace("","",$out);
What's this for? :)
some leftovers from a previous version?
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Jul 17 '05 #22
Ma************@wsip.com.pl (Marek Kotowski) wrote in message news:<e5**************************@posting.google. com>...
I am looking for a tool to execute PHP scripts
entered in a HTML form. For example: user is
given a problem to solve. He writes a PHP script,
sends it to a server, where it is executed
and results are send back to the user. Are
such tools available at all?


<-----snip start------>

<?php
//file: immediate2.php

function eval_buffer($string) {
ob_start();
eval("$string[2];");
$return = ob_get_contents();
ob_end_clean();
return $return;
}

function eval_print_buffer($string) {
ob_start();
eval("print $string[2];");
$return = ob_get_contents();
ob_end_clean();
return $return;
}

function eval_html($string) {
$string = preg_replace_callback("/(<\?=)(.*?)\?>/si",
"eval_print_buffer",$string);
return preg_replace_callback("/(<\?php|<\?)(.*?)\?>/si",
"eval_buffer",$string);
}

$expression = isset($_POST['expression']) ? $_POST['expression'] : '';

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Immediate Window v2.0</TITLE>
<META http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<STYLE type="text/css">
<!--
body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 9px;
}
hr {
color: #FF0000;
}
input {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 9px;
}
pre {
font-size: 12px;
}
-->
</STYLE>
</HEAD>
<BODY>
<H1 align="center">Immediate Window v2.0</H1>
<FORM action="<?=$_SERVER['PHP_SELF']?>" method="post">
<TABLE width="354" border="0" align="center" cellpadding="5"
cellspacing="0">
<TR>
<TD width="344" align="center"> <TEXTAREA name="expression"
cols="50" rows="5" id="expression"><?=$expression?></TEXTAREA>
</TD>
</TR>
<TR>
<TD align="center"> <INPUT type="submit" name="Submit"
value="Evaluate">
</TD>
</TR>
</TABLE>
</FORM>
<HR>
<PRE>
<?php
if ($_POST)
{
echo eval_html($expression);
}
?>
</PRE>
<HR>
<P><STRONG>Credits: </STRONG>This code is based on the user notes
found at <A href="http://www.php.net/eval"
target="_blank">http://www.php.net/eval</A></P>
</BODY>
</HTML>

<-----snip end------>
--
"Silence is the only right answer for many wrong questions" --
G.K.Moopanar, Indian Politician
Email: rrjanbiah-at-Y!com
Jul 17 '05 #23
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
Ma************@wsip.com.pl (Marek Kotowski) wrote in message

news:<e5**************************@posting.google. com>...
I am looking for a tool to execute PHP scripts
entered in a HTML form. For example: user is
given a problem to solve. He writes a PHP script,
sends it to a server, where it is executed
and results are send back to the user. Are
such tools available at all?


<-----snip start------>

<?php
//file: immediate2.php

function eval_buffer($string) {
ob_start();
eval("$string[2];");
$return = ob_get_contents();
ob_end_clean();
return $return;
}

function eval_print_buffer($string) {
ob_start();
eval("print $string[2];");
$return = ob_get_contents();
ob_end_clean();
return $return;
}

function eval_html($string) {
$string = preg_replace_callback("/(<\?=)(.*?)\?>/si",
"eval_print_buffer",$string);
return preg_replace_callback("/(<\?php|<\?)(.*?)\?>/si",
"eval_buffer",$string);
}

$expression = isset($_POST['expression']) ? $_POST['expression'] : '';

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Immediate Window v2.0</TITLE>
<META http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<STYLE type="text/css">
<!--
body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 9px;
}
hr {
color: #FF0000;
}
input {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 9px;
}
pre {
font-size: 12px;
}
-->
</STYLE>
</HEAD>
<BODY>
<H1 align="center">Immediate Window v2.0</H1>
<FORM action="<?=$_SERVER['PHP_SELF']?>" method="post">
<TABLE width="354" border="0" align="center" cellpadding="5"
cellspacing="0">
<TR>
<TD width="344" align="center"> <TEXTAREA name="expression"
cols="50" rows="5" id="expression"><?=$expression?></TEXTAREA>
</TD>
</TR>
<TR>
<TD align="center"> <INPUT type="submit" name="Submit"
value="Evaluate">
</TD>
</TR>
</TABLE>
</FORM>
<HR>
<PRE>
<?php
if ($_POST)
{
echo eval_html($expression);
}
?>
</PRE>
<HR>
<P><STRONG>Credits: </STRONG>This code is based on the user notes
found at <A href="http://www.php.net/eval"
target="_blank">http://www.php.net/eval</A></P>
</BODY>
</HTML>

<-----snip end------>
--
"Silence is the only right answer for many wrong questions" --
G.K.Moopanar, Indian Politician
Email: rrjanbiah-at-Y!com

There are so many security holes in that. thats Pedro and I have going back
and forth over. you can not just pass code to eval, eval = evil :)
--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #24
"CountScubula" <me@scantek.hotmail.com> wrote in message news:<7M*****************@newssvr25.news.prodigy.c om>...

<snip>
--
Mike Bradley
http://www.gzentools.com -- free online php tools

Recently someone in c.l.c pointed out my faulty sig-marker. The
sig-marker should be "-- " (i.e., dash-dash-space-newline). Now, I'd
like to let you know that.

--
"Silence is the only right answer for many wrong questions" --
G.K.Moopanar, Indian Politician
Email: rrjanbiah-at-Y!com
Jul 17 '05 #25
CountScubula wrote:
suprissed you havn't tried to hack my aol im bot: screen name: 'gzentools'


I don't care for Instant Messaging.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #26
CountScubula wrote:
hey, you know linux,
No, I don't, I know (language exaggeration) only the few things I dealt
with to have my computer running and make me feel safe.
what was the command to start a proccess, and if it dies, have it
automaticaly restart?
as in 'respawn' in inittab?


I have a similar thing with a program that checks wether its running at
startup: I made a crontab entry to start that program every hour; if it
verifies it is already running, it won't start a second instance.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #27
R. Rajesh Jeba Anbiah wrote:
[edited]
eval($user_input);


Are you sure you can treat $user_input to avoid *ALL* security risks
this poses?

$user_input = 'implode("", file("/etc/passwd"))';
$user_input = '`ls`';

and a lot more of evil things :)
Like Mike says

"eval == evil"
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #28
On 2004-01-07, Pedro Graca <he****@hotpop.com> wrote:
R. Rajesh Jeba Anbiah wrote:
[edited]
eval($user_input);


Are you sure you can treat $user_input to avoid *ALL* security risks
this poses?

$user_input = 'implode("", file("/etc/passwd"))';
$user_input = '`ls`';

and a lot more of evil things :)


Thats why they invented shadow passwords :P
(Assuming your webserver isn't running under uid 0)
--
http://home.mysth.be/~timvw
Jul 17 '05 #29
Tim Van Wassenhove wrote:
$user_input = 'implode("", file("/etc/passwd"))'; and a lot more of evil things :)
Thats why they invented shadow passwords :P
(Assuming your webserver isn't running under uid 0)


What about

`rm -rf *`

Does the webserver has write-access to the directory the scripts are in?
Do you have a backup of them?
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #30
On 2004-01-07, Pedro Graca <he****@hotpop.com> wrote:
Tim Van Wassenhove wrote:
$user_input = 'implode("", file("/etc/passwd"))'; and a lot more of evil things :)

Thats why they invented shadow passwords :P
(Assuming your webserver isn't running under uid 0)


What about

`rm -rf *`

Does the webserver has write-access to the directory the scripts are in?
Do you have a backup of them?

I have umask 0700, and only give rights where it is absolutely necessary
;)

Oh yeah, and with duplicity and a little script i wrote, i do have a
nice backup system :)

Having safe_mode enabled has its advantages too ;)

--
http://home.mysth.be/~timvw
Jul 17 '05 #31
Tim Van Wassenhove wrote:
On 2004-01-07, Pedro Graca <he****@hotpop.com> wrote:
Does the webserver has write-access to the directory the scripts are in?
Do you have a backup of them?
I have umask 0700, and only give rights where it is absolutely necessary
;)
good !
Oh yeah, and with duplicity and a little script i wrote, i do have a
nice backup system :)
Very Good! Have to make my own backup system some day :)
Having safe_mode enabled has its advantages too ;)


Agreed ... but here I'm not sure the advantages outweigh the
disadvantages. I prefer to be able to do _everything_ except what I
specifically disallow.

When I make a script I always have this saying present in my mind:
"Never trust the input from a user."
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #32
I have done it in the inittab, but in this case, I do not want it to start
when the server starts.
hmm, ill work on it.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
CountScubula wrote:
hey, you know linux,


No, I don't, I know (language exaggeration) only the few things I dealt
with to have my computer running and make me feel safe.
what was the command to start a proccess, and if it dies, have it
automaticaly restart?
as in 'respawn' in inittab?


I have a similar thing with a program that checks wether its running at
startup: I made a crontab entry to start that program every hour; if it
verifies it is already running, it won't start a second instance.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Jul 17 '05 #33
"Pedro Graca" <he****@hotpop.com> wrote in message
news:bt************@ID-203069.news.uni-berlin.de...
When I make a script I always have this saying present in my mind:
"Never trust the input from a user."
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

I agree 110%, but sometimes, we lose sight becouse we are excited about what
we wrote, and we sometimes miss certain things, oh, i dunno like the ``
BACKTICKS :)

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #34
I noticed that Message-ID:
<ab**************************@posting.google.com > from R. Rajesh Jeba
Anbiah contained the following:
--
Mike Bradley
http://www.gzentools.com -- free online php tools

Recently someone in c.l.c pointed out my faulty sig-marker. The
sig-marker should be "-- " (i.e., dash-dash-space-newline). Now, I'd
like to let you know that.


The stripping of trailing space is a well known Outhouse Express
'feature'.

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Jul 17 '05 #35
Geoff Berrow wrote:
The stripping of trailing space is a well known Outhouse Express
'feature'.


That particular nuisance is fixable by installing and using Dominik
Jain's OE-QuoteFix.

--
Jock
Jul 17 '05 #36
CountScubula wrote:
hey, you know linux,

what was the command to start a proccess, and if it dies, have it
automaticaly restart?
as in 'respawn' in inittab?


ISTR it's daemon (sorry for butting in)

Cheers,
Andy
Jul 17 '05 #37
"Andy Jeffries" <ne**@andyjeffries.remove.co.this.uk> wrote in message
news:bt**********@sparta.btinternet.com...
CountScubula wrote:
hey, you know linux,

what was the command to start a proccess, and if it dies, have it
automaticaly restart?
as in 'respawn' in inittab?


ISTR it's daemon (sorry for butting in)

Cheers,
Andy


by all means please do,

here is my problem, I have a small daemon I wrote in C, I havent figured
out why it dies yet, I havnt been around when it crashes.

So in the interum I would like it to be relaunched if it crashes. It is not
a true daemon yet, untill I solve this crash problem.

one of the stupid workaround I did was this:

on the command line, I type
php keepup.php &

here is the keepup.php script
<?php
set_time_limit(0);
while (true){
`/usr/bin/testdaemon`;
}
?>

This way if it crashes, it get relaunched,
--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #38

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

50 posts views Thread by Edward K. Ream | last post: by
5 posts views Thread by Mirko | last post: by
2 posts views Thread by Pythor | last post: by
4 posts views Thread by Anastasios Hatzis | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.