1

I am trying to execute code that is returned by a cURL query.

The following code queries a page on my webserver:

$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "http://web.com/foo.php");
curl_setopt ($ch, CURLOPT_HEADER, 0);
$res = curl_exec ($ch);
curl_close ($ch);
echo $res;

I would like to do so by only modifying the code in foo.php. I have tried returning PHP code as the result in foo.php with an eval() command but it doesn't seem to work.

Any ideas?

EDIT: Guys, I am not doing this for a public website. It is for a private project, I will be the only user. I know it's a huge security concern, I would never do something like this that would be live on the internet.

Improve this question
3
  • 5
    Needs more info. eval is the way to execute code received as strings, what exactly "doesn't seem to work"? Also: don't do it. eval is evil, and so on... Commented Dec 9, 2010 at 1:13
  • 1
    Wouldn't this fail horribly if there are any included/required scripts... references to a DB, external classes... pretty much anything of any interest? - and even if it did work, god only knows what might be in that code that is now running on your server! - Gah! Commented Dec 9, 2010 at 1:31
  • 1
    Re "I'll be the only user": That doesn't matter, you simply don't do it. :) It opens an attack vector (a huge one) into your system. Even if the chances of somebody exploiting that vector are minimal, it's a bad habit to fall into. Especially private projects are the perfect chance to do it right. Professional programmers are often enough forced into sub-optimal solutions for political reasons, don't go there by yourself if you don't have to. </2cents-and-some-change> :) Commented Dec 9, 2010 at 3:13

3 Answers 3

Reset to default
2

Disclaimer: this is a terrible idea for security and you shouldn't do it.

That said

  • ensure that the allow_url_fopen option is permitted in your php.ini, or set it using ini_set
  • ensure that web.com is actually returning PHP code, not executing the PHP code and returning the output - that won't give you anything useful to run (unless the PHP code is generating other php code as output, but then you're really getting too far down the rabbit hole)
  • then just include "http://web.com/foo.php"

Now, to reiterate, don't do it unless you're really very sure of yourself, or you really like having your site hacked.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

That would require me to get rid of the cUrl code above and use include instead. My goal is to do this only through cUrl (and not through include)
Why? If you're determined to be insecure, then being insecure this way is much easier than being insecure using curl. Both approaches are a bad idea, and this one is no worse security wise, but much easier implementation wise.
1

Note that eval does not need the leading <?php to work. An alternative to eval would be to write the code into a file and then include said file.

Also, make sure you set the CURLOPT_RETURNTRANSFER option to true, otherwise, you might just display the code.

Improve this answer

2 Comments

How does CURLOPT_RETURNTRANSFER work? I can't find much documentation on that option. Does it save the result in a variable (instead of outputting it directly) ?
CUROPT_RETURNTRANSFER makes it so that curl_exec returns the response as a string instead of writing out directly to the client (browser, console).
1

DISCLAIMER: THIS IS A HORRIBLE IDEA. I HIGHLY RECOMMEND THAT YOU USE SOME OTHER APPROACH.

Im going to guess that the file son your server are being interpreted by the server they are on so you get the PHP parse response. Try renaming them to something else like .phtml. Or turn PHP off on the remote server. Then it should just be a matter of:

$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "http://web.com/foo.phtml");
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$res = curl_exec ($ch);
curl_close ($ch);

$parsed = eval($res);

// echo or do whatever with $parsed

But as i said in my disclaimer, and everyone commenting answering this question has said... This is a securoty risk and even beyond that has all kinds of gotchas. If you ellaborate on why it is you want to do this we can probably find a better solution that doesnt make Jon Skeet cry.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.