I've a template with some PHP code in it. I need to get the names of
all the PHP commands, so I can import them and so I can make sure they
are officially allowed (for security purposes, users are only allowed
to use officially allowed commands). I'm using the following class
method. substr is not working as I expect. When I echo out $location1
and $location2 I get 8287 and 8306 which are correct answers for the
first PHP command. But when I use the vars in substr, I get a quite
astonishing return. You'll see the line where I echo out $name after
having run it through substr(). I should only get 19 characters, which
is the gap between 8287 and 8306, yet I end up with something like 200
characters, including several other PHP commands. What gives?
function checkTemplateFo rAllowedFunctio ns($template=fa lse) {
// 04-26-04 - for security, if there is some PHP code that we don't
recognize, we want the whole script
// to die.
if (is_string($tem plate)) {
$allowedFunctio ns = $this->getAllowedFunc tions();
$php = "<";
$php .= "?";
$php .= "php";
$end = "?";
$end .= ">";
$allowed = false;
// 04-26-04 - we need to find out how many PHP blocks there are in
this template. Then we'll
// compare them and see if there are equal numbers of both. I'm not
sure what sort of an
// attack a hacker could launch by having an unequal number, but it
seems wise to be very
// careful here.
$howManyStart = substr_count($t emplate, $php);
$howManyEnd = substr_count($t emplate, $end);
if ($howManyStart != $howManyEnd) {
die ("Awful sorry, but there is something wrong with this
template. We went looking to see if how many times we would find the
'$php' tag, and then we went looking for the '$end' tag. We found
$howManyStart of the first and $howManyEnd of the second. We should
have found the same number of both.");
}
for ($i=0; $i < $howManyStart; $i) {
$location1 = strpos($templat e, $php);
$location2 = strpos($templat e, $end);
// 04-26-04 - we need 3 equal signs to tell the difference between
the zero position in the tempalte
// and the false condition. If there is no php in this template,
then we can skip the rest of this
// function.
if ($location1 === false) {
return true;
} else {
// 04-26-04 - now we want to get rid of everything before the
function name. We
// want to get the function name. This should return the command
and the function name.
// We should have something that looks like '< ?php
showCommentsFor ThisPage(); ? >', but
// without the extra spaces that I just added in to protect from
errors.
$name = substr($templat e, $location1, $location2);
echo "<hr><hr><h r> here's the first function: $name
<hr><hr><hr>" ;
// 04-26-04 - now we get rid of the start and end PHP tags, and
the white space.
// What we are left with should look like
'showCommentsFo rThisPage();'
$name = str_replace($ph p, "", $name);
$name = str_replace($en d, "", $name);
$name = trim($name);
// 04-26-04 - now we want just the name, without the parentheses.
$location1 = strpos($name, "(");
$name = substr($name, 0, $location1);
if (in_array($name , $allowedFunctio ns)) $allowed = true;
if ($allowed) {
$this->import($name , " in checkTemplateFo rAllowedFunctio ns(), in
the class McControllerFor All.");
} else {
echo "Sorry, but we did not recognize the name of a PHP function
in the template or arrangement we were asked to show. We were given
'$name', which we did not recognize as being in the official list.
These are the officially allowed PHP functions: ";
reset($allowedF unctions);
while (list($key, $val) = each($allowedFu nctions)) {
echo "$val \n<br />";
}
die();
}
// 04-26-04 - it's critical we make sure some hacker hasn't
slipped extra PHP code into
// this PHP block (after the officially allowed function).
$location2 = strpos($name, ";");
$location2 = $location2 + 1;
$name = substr($name, $location2);
// 04-26-04 - this should be an empty string, so if there is
something here, that means trouble.
if ($name != "") {
echo "Sorry, but we did not recognize the name of a PHP function
in the template or arrangement we were asked to show. We were given
'$name', which we did not recognize as being in the official list.
These are the officially allowed PHP functions: ";
reset($allowedF unctions);
sort($allowedFu nctions);
while (list($key, $val) = each($allowedFu nctions)) {
echo "$val \n<br />";
}
die();
}
}
} // end of for() loop
} else {
$this->error("In checkTemplateFo rAllowedFunctio ns(), in the class
McControllerFor All, we expected to be given a string, but we were
given nothing.");
}
}
all the PHP commands, so I can import them and so I can make sure they
are officially allowed (for security purposes, users are only allowed
to use officially allowed commands). I'm using the following class
method. substr is not working as I expect. When I echo out $location1
and $location2 I get 8287 and 8306 which are correct answers for the
first PHP command. But when I use the vars in substr, I get a quite
astonishing return. You'll see the line where I echo out $name after
having run it through substr(). I should only get 19 characters, which
is the gap between 8287 and 8306, yet I end up with something like 200
characters, including several other PHP commands. What gives?
function checkTemplateFo rAllowedFunctio ns($template=fa lse) {
// 04-26-04 - for security, if there is some PHP code that we don't
recognize, we want the whole script
// to die.
if (is_string($tem plate)) {
$allowedFunctio ns = $this->getAllowedFunc tions();
$php = "<";
$php .= "?";
$php .= "php";
$end = "?";
$end .= ">";
$allowed = false;
// 04-26-04 - we need to find out how many PHP blocks there are in
this template. Then we'll
// compare them and see if there are equal numbers of both. I'm not
sure what sort of an
// attack a hacker could launch by having an unequal number, but it
seems wise to be very
// careful here.
$howManyStart = substr_count($t emplate, $php);
$howManyEnd = substr_count($t emplate, $end);
if ($howManyStart != $howManyEnd) {
die ("Awful sorry, but there is something wrong with this
template. We went looking to see if how many times we would find the
'$php' tag, and then we went looking for the '$end' tag. We found
$howManyStart of the first and $howManyEnd of the second. We should
have found the same number of both.");
}
for ($i=0; $i < $howManyStart; $i) {
$location1 = strpos($templat e, $php);
$location2 = strpos($templat e, $end);
// 04-26-04 - we need 3 equal signs to tell the difference between
the zero position in the tempalte
// and the false condition. If there is no php in this template,
then we can skip the rest of this
// function.
if ($location1 === false) {
return true;
} else {
// 04-26-04 - now we want to get rid of everything before the
function name. We
// want to get the function name. This should return the command
and the function name.
// We should have something that looks like '< ?php
showCommentsFor ThisPage(); ? >', but
// without the extra spaces that I just added in to protect from
errors.
$name = substr($templat e, $location1, $location2);
echo "<hr><hr><h r> here's the first function: $name
<hr><hr><hr>" ;
// 04-26-04 - now we get rid of the start and end PHP tags, and
the white space.
// What we are left with should look like
'showCommentsFo rThisPage();'
$name = str_replace($ph p, "", $name);
$name = str_replace($en d, "", $name);
$name = trim($name);
// 04-26-04 - now we want just the name, without the parentheses.
$location1 = strpos($name, "(");
$name = substr($name, 0, $location1);
if (in_array($name , $allowedFunctio ns)) $allowed = true;
if ($allowed) {
$this->import($name , " in checkTemplateFo rAllowedFunctio ns(), in
the class McControllerFor All.");
} else {
echo "Sorry, but we did not recognize the name of a PHP function
in the template or arrangement we were asked to show. We were given
'$name', which we did not recognize as being in the official list.
These are the officially allowed PHP functions: ";
reset($allowedF unctions);
while (list($key, $val) = each($allowedFu nctions)) {
echo "$val \n<br />";
}
die();
}
// 04-26-04 - it's critical we make sure some hacker hasn't
slipped extra PHP code into
// this PHP block (after the officially allowed function).
$location2 = strpos($name, ";");
$location2 = $location2 + 1;
$name = substr($name, $location2);
// 04-26-04 - this should be an empty string, so if there is
something here, that means trouble.
if ($name != "") {
echo "Sorry, but we did not recognize the name of a PHP function
in the template or arrangement we were asked to show. We were given
'$name', which we did not recognize as being in the official list.
These are the officially allowed PHP functions: ";
reset($allowedF unctions);
sort($allowedFu nctions);
while (list($key, $val) = each($allowedFu nctions)) {
echo "$val \n<br />";
}
die();
}
}
} // end of for() loop
} else {
$this->error("In checkTemplateFo rAllowedFunctio ns(), in the class
McControllerFor All, we expected to be given a string, but we were
given nothing.");
}
}
Comment