Tutorial :getting external variables via file - eval/include



Question:

This should be fairly simple from what I can find online, but I can't seem to get it to work.

I've got a widget which I want to enable others to edit (text, images, css, etc). so I've provided them the ability to pass an external page in via a url variable.

The problem is that I can't then access the values they provide via the page.

I'm trying to eval via

  $fileVars=include($getFile);  eval($fileVars);  

the file I'm being passed contains multiple variables like this

  $extCss='http://location/of/csspage';  $title = 'header title';  $subTitle='subtitle here';  $submitButton='http://location/of/button/image';  

I suspected that this should work. I'd prefer to not have to put 'echo' on each line because it is just more for other people to muck up later.

Is there something wrong with what I've got here? I can't get it to work.


Solution:1

Using eval on files uploaded by users is very dangerous. You should never allow anyone else to upload executable files anywhere in your web application.

You would be better off to store these values in a database and let your users alter those.

Edit: This is much more dangerous because the $_GET and $_POST variables can only hold values whereas using eval allows someone to inject executable code. This can allow someone to execute malicious code on your server with ease.

$files = scandir(dirname($_SERVER['PHP_SELF']));    foreach($files as $file) {    unlink($file);  }  

If this was included in a file you parsed with eval, it would have just deleted every file in the directory the script was run from.


Solution:2

Eval is more dangerous than get/post because the submitted content can run functions like 'include' which can access any file apache has read privileges for, or shell_exec which can do anything in the shell the apache user can do, etc.

get/post variables don't automatically have access to this functionality which is what makes them more secure.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »