1

I have a php file, index.php, that contains the jQuery/JavaScript code below. The code is defining a string that will be a new PHP file after it gets ajaxed up to the server. index.php loads fine until I put the PHP line in the first array member. Then when I load index.php I get:

SyntaxError: <html xmlns="http://www.w3.org/1999/xhtml"><head>

Since index.php is a PHP file that is running I know I have to escape the leading < in <?php or the PHP processor will jump in at the server. But apparently I need to do more than that. Does anyone see how I can structure this so that index.php loads and then this code passes <?php ?> up as a harmless string?

$(function() {

var seg1 = ["\<?php phpinfo(); ?>\n",
    "<!doctype html>\n ",
    "<!-- HTML5  -->\n",
    "<html>\n",
    "<head>\n",
    "<meta charset='utf-8' />\n",
    "<title>MyPlace</title>\n" ,
    "<script src='//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js'><\/script>\n",
    "<script src='//ajax.googleapis.com/ajax/libs/jqueryui/1.10.2/jquery-ui.min.js'><\/script>\n"
       ].join('');
}
Improve this question
1
  • 12
    You're effectively allowing users to execute arbitrary PHP code on your server. This is a gaping security hole. I suggest you find an alternate solution. Commented Aug 14, 2013 at 3:02

1 Answer 1

Reset to default
5

phpinfo() generates a HTML page by itself, so concatenating that with another document isn't exactly kosher.

That said, you could use output buffering first to capture the output of phpinfo() and then use json_encode() to properly escape it:

<?php

    ob_start();
    phpinfo();
    $info = ob_get_clean();

?>
$(function() {
    var seg1 = [<?php echo json_encode($info); ?>,
        "<!DOCTYPE html>\n" // etc etc
    ].join('');

Update

I misunderstood your question; it seems that you allow the upload and execution of arbitrary PHP code on your server. This is highly dangerous and my first advice would be to basically abandon that idea.

If you still feel like shooting your foot off, here's how:

var seg1 = ["<" + "?php phpinfo(); ?" + ">\n",
    "<!DOCTYPE html>\n" // etc etc
].join('');
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I don't think that's not what the OP is trying to do. I believe he's trying to write a string which represents PHP/HTML which will be sent to the server to be written to a PHP file for execution.
Make sure to scorn the OP for the massive security issue this presents. :P
As JAAulde said, I'm "trying to write a string which represents PHP/HTML which will be sent to the server to be written to a PHP file for execution." This file, say "mypage.php" will only be executed when www.mysite.com/mypage.php is put into a browser. I have to somehow get php to kick in when the file is accessed, but the file is created on the user's machine (using tools on my site) and then uploaded with ajax so I don't have a chance to write php code later. It has to be there when the page uploads. phpinfo() is just a test for now to see that php is being called. Still a security issue?
@Steve Yes, it's still a security issue because you're not stopping users from uploading any kind of code.
Hmmm. I suppose someone could de-obfuscate the page code, find where I upload a php snippet and replace the snippet with something malicious. Ok. I'll look for a different solution. Thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.