Jump to content

Turn off PHP

Zugzwangle

By Zugzwangle
in PHP Coding Help

 Share

Recommended Posts

RussellReal Member

RussellReal

Posted
Posted

oh I seeeeeeeeeeeee yeahhhhhhhhhhhh

 

.... ... .. .

 

oh right.. javascript..

 

lemme ask you.. do you eval() this code at all? do you put it into a file then include this page? because if you for instance..

 

echo a string which contains "<?php echo 'hi'; ?>" (well technically it wouldn't work because ?> would kill it, but I'm assuming you're pulling it from a DB so the technically doesn't affect you now does it?) it will basically echo it as a string.. not evaluate it :)

 

so you posting here technically is a waste of time.. if you aren't building a file then including it.. and another side note, if you look around I'm the only one here who posted to help you so its probably in your best interest to not get all sarcastic and stuff on a public board, where you are the one here asking for help, and I am the good guy trying to help you :)..

 

Have a good morning in any event :)

Link to comment
Share on other sites
Zugzwangle Member

Zugzwangle

Posted
  • Author
Posted

Oh, I didn't mean to be sarcastic at all!! I was being genuine..  I'll explain.  Users 'html' input, is saved to a SQL database, and then recalled. I presumed that if the user saved <?php // content // ?> and it was recalled by php, it would execute - so that is wrong yes?

Link to comment
Share on other sites
Wolphie Member

Wolphie

Posted
Posted

Oh, I didn't mean to be sarcastic at all!! I was being genuine..  I'll explain.  Users 'html' input, is saved to a SQL database, and then recalled. I presumed that if the user saved <?php // content // ?> and it was recalled by php, it would execute - so that is wrong yes?

 

Yes, that is wrong. Unless it's given as a parameter to eval() then that code will not be executed, but instead be treated as a string (unlike JavaScript on the other hand which is interpreted by the browser)

Link to comment
Share on other sites
RussellReal Member

RussellReal

Posted
Posted

and it is dangerous to allow end user to add JS to your website, we spend a lot of time stopping JS includes. JS can give then an open window to ur server.

 

allowing js doesn't give you a window to your server anywhere other than pages that are requestable from the outside anyway :).. JS never reaches to the backend.. the only thing you need to look out for is server-side javascript..

 

what it DOES do is give them access to cookies on other users' computers, and that is a huge security flaw.. but saying it is a window to your server is a very big exaggeration :)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.