By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,709 Members | 2,155 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,709 IT Pros & Developers. It's quick & easy.

substr() doesn't work

P: n/a
I've a template with some PHP code in it. I need to get the names of
all the PHP commands, so I can import them and so I can make sure they
are officially allowed (for security purposes, users are only allowed
to use officially allowed commands). I'm using the following class
method. substr is not working as I expect. When I echo out $location1
and $location2 I get 8287 and 8306 which are correct answers for the
first PHP command. But when I use the vars in substr, I get a quite
astonishing return. You'll see the line where I echo out $name after
having run it through substr(). I should only get 19 characters, which
is the gap between 8287 and 8306, yet I end up with something like 200
characters, including several other PHP commands. What gives?

function checkTemplateForAllowedFunctions($template=false) {
// 04-26-04 - for security, if there is some PHP code that we don't
recognize, we want the whole script
// to die.

if (is_string($template)) {
$allowedFunctions = $this->getAllowedFunctions();

$php = "<";
$php .= "?";
$php .= "php";

$end = "?";
$end .= ">";

$allowed = false;

// 04-26-04 - we need to find out how many PHP blocks there are in
this template. Then we'll
// compare them and see if there are equal numbers of both. I'm not
sure what sort of an
// attack a hacker could launch by having an unequal number, but it
seems wise to be very
// careful here.
$howManyStart = substr_count($template, $php);
$howManyEnd = substr_count($template, $end);

if ($howManyStart != $howManyEnd) {
die ("Awful sorry, but there is something wrong with this
template. We went looking to see if how many times we would find the
'$php' tag, and then we went looking for the '$end' tag. We found
$howManyStart of the first and $howManyEnd of the second. We should
have found the same number of both.");
}

for ($i=0; $i < $howManyStart; $i) {
$location1 = strpos($template, $php);
$location2 = strpos($template, $end);
// 04-26-04 - we need 3 equal signs to tell the difference between
the zero position in the tempalte
// and the false condition. If there is no php in this template,
then we can skip the rest of this
// function.
if ($location1 === false) {
return true;
} else {
// 04-26-04 - now we want to get rid of everything before the
function name. We
// want to get the function name. This should return the command
and the function name.
// We should have something that looks like '< ?php
showCommentsForThisPage(); ? >', but
// without the extra spaces that I just added in to protect from
errors.

$name = substr($template, $location1, $location2);
echo "<hr><hr><hr> here's the first function: $name
<hr><hr><hr>";
// 04-26-04 - now we get rid of the start and end PHP tags, and
the white space.
// What we are left with should look like
'showCommentsForThisPage();'
$name = str_replace($php, "", $name);
$name = str_replace($end, "", $name);
$name = trim($name);

// 04-26-04 - now we want just the name, without the parentheses.
$location1 = strpos($name, "(");

$name = substr($name, 0, $location1);

if (in_array($name, $allowedFunctions)) $allowed = true;
if ($allowed) {
$this->import($name, " in checkTemplateForAllowedFunctions(), in
the class McControllerForAll.");
} else {
echo "Sorry, but we did not recognize the name of a PHP function
in the template or arrangement we were asked to show. We were given
'$name', which we did not recognize as being in the official list.
These are the officially allowed PHP functions: ";
reset($allowedFunctions);
while (list($key, $val) = each($allowedFunctions)) {
echo "$val \n<br />";
}
die();
}

// 04-26-04 - it's critical we make sure some hacker hasn't
slipped extra PHP code into
// this PHP block (after the officially allowed function).
$location2 = strpos($name, ";");
$location2 = $location2 + 1;
$name = substr($name, $location2);
// 04-26-04 - this should be an empty string, so if there is
something here, that means trouble.
if ($name != "") {
echo "Sorry, but we did not recognize the name of a PHP function
in the template or arrangement we were asked to show. We were given
'$name', which we did not recognize as being in the official list.
These are the officially allowed PHP functions: ";
reset($allowedFunctions);
sort($allowedFunctions);
while (list($key, $val) = each($allowedFunctions)) {
echo "$val \n<br />";
}
die();
}
}
} // end of for() loop
} else {
$this->error("In checkTemplateForAllowedFunctions(), in the class
McControllerForAll, we expected to be given a string, but we were
given nothing.");
}
}
Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
> Re: substr() doesn't work

No lawrence, YOU don't work.

You run into a problem and then you expect everyone else to do your work
for you.

do some work and RTFM.
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.