tags:

views:

254

answers:

2
Q: 

getting external variables via file - eval/include

This should be fairly simple from what I can find online, but I can't seem to get it to work.

I've got a widget which I want to enable others to edit (text, images, css, etc). so I've provided them the ability to pass an external page in via a url variable.

The problem is that I can't then access the values they provide via the page.

I'm trying to eval via 

$fileVars=include($getFile);
eval($fileVars);

the file I'm being passed contains multiple variables like this 

$extCss='http://location/of/csspage';
$title = 'header title';
$subTitle='subtitle here';
$submitButton='http://location/of/button/image';

I suspected that this should work. I'd prefer to not have to put 'echo' on each line because it is just more for other people to muck up later.

Is there something wrong with what I've got here? I can't get it to work.

+2  A: 

Using eval on files uploaded by users is very dangerous. You should never allow anyone else to upload executable files anywhere in your web application.

You would be better off to store these values in a database and let your users alter those.

Edit: This is much more dangerous because the $_GET and $_POST variables can only hold values whereas using eval allows someone to inject executable code. This can allow someone to execute malicious code on your server with ease. 

$files = scandir(dirname($_SERVER['PHP_SELF']));

foreach($files as $file) {
  unlink($file);
}

If this was included in a file you parsed with eval, it would have just deleted every file in the directory the script was run from.

tj111  2009-03-27 19:50:20
why is this any more dangerous than get or post variables. I'm essentially treating them the same way, but getting them via a file rather than get/post.
pedalpete  2009-03-27 20:16:16
ah yes! thank you very much for pointing that out. Is there a way to only receive values from an external page? Building a seperate DB to hold this data (there isn't very much, and it won't change often), would be a pain.
pedalpete  2009-03-27 21:22:08
A: 

Eval is more dangerous than get/post because the submitted content can run functions like 'include' which can access any file apache has read privileges for, or shell_exec which can do anything in the shell the apache user can do, etc.

get/post variables don't automatically have access to this functionality which is what makes them more secure.

Fire Crow  2009-03-28 00:28:53

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases