Clever Geek Handbook

Inline PHP (command line)

I would like to do something like tryruby.org. I am taking a string from a user (for example echo __FILE__

) and I want to execute it in PHP and return the result back to the client.

I tried to do exec('php -r ' . $command, $output)

but $output

always contains a php help section.

Can anyone help me or give some advice on how to implement this feature.

thanks a lot.

+3


source to share


4 answers


It looks like your problem is that you are not completing your code to be executed with ' '

. You should also be careful with '

in code, special characters, escape sequences, etc.

In fact, if you insist on using it exec()

, it's better to do this (so you don't completely worry about escaping and such):

$command = base64_encode($command);
exec("php -r 'eval(base64_decode(\"$command\"));'", $output);

You can use eval()

instead of what you post above.

The main problem here (both with eval()

and with code exec()

) is that using PHP code from user input is simply not safe :

The eval () language construct is very dangerous because it allows arbitrary PHP code to be executed. However, its use is not recommended. If you have carefully checked that there is no other choice but to use this construct, please pay special attention not to transmit any data provided by the user without him having correctly checked it beforehand.




Sentence

Since you want to return the result of PHP code, you can potentially do something cool with AJAX, where you pass PHP code to a script (base 64, possibly as a parameter):

$code = base64_decode($_GET['code']);
// clean the user input here
eval($code);

AJAX example with jQuery:

// assuming `code` contains the PHP code
var encoded = base64_enc(code);

$.get('execute.php?code=' + encoded, function(data) {
    var result = new String(data);
    // do something with the result here, such as displaying it
}, dataType='text');

For base 64 encoding in JavaScript see this .

+5


source


To do this php -r

, you will need to put the code you want to execute between '

.. your code ..'

Example:



php -r ' $var = 34; print_r($var); '
+7


source


Have a look at "eval ()", and more importantly why eval () and what you are trying to do is very difficult to achieve in a safe way. Displaying, for example, a user who enters:

echo file_get_contents('/etc/passwd');

You will need a fair amount of work to make this safe, including looking at and filtering out all the system calls made during the eval'd process.

Greetings

0


source


http://tryruby.org seems to have an interactive Ruby shell. This seems to be a good starting point.

There are two projects that provide such a wrapper for PHP: php_repl and phpsh .

The other part is the web interface for the interactive shell. For this part, I suggest you take a look at repl.it , which provides this service for many languages ​​(but not PHP, unfortunately). Here's a link to the source code.

With this combination, you should be able to complete the cour project.

0


source






More articles:


All Articles