PDA

View Full Version : Quick PHP Code Tester Program



JayT
09-14-2007, 08:39 PM
I'd like to have some PHP coders test this simple utility. Their feedback would help me improve on it.

It is a interactive web page you can use to test blocks of PHP code and functions. I use this program all the time to speed up the development and testing of blocks of PHP code and custom functions.



I just re-engineered it for PHP v5.x, however, if within the program you change

$_POST

to

$HTTP_POST_VARS

Then it should also work for PHP v4.x

There is a handy function within PHP called Eval() and this entire program is built around that function.

With this program you can easily experiment with PHP and test many of its functions directly from the key***rd via your web browser as well as many of your own custom functions.



Here is the complete program code:



<?PHP

/*
General Purpose Basic PHP Script Tester v5.0

PHP v5.2.4

REVISED: 2007 SEP *4 - FRI
*/

Print <<< _HTML

<!DOCTYPE HTML PUBLIC "-//W*C//DTD HTML 4.0* Transitional//EN">

<HTML>

<HEAD>

<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="TEXT/HTML; CHARSET=ISO-885*-*">

<META NAME="robots" CONTENT="noindex,nofollow">
<META NAME="googlebot" CONTENT="noindex,nofollow">

<!-- Optional CSS sheet

<LINK REL=STYLESHEET HREF="path_to_your.css" TYPE="TEXT/CSS">

-->

<TITLE>PHPX - PHP Code Tester v5.0</TITLE>

</HEAD>


<BODY>

_HTML;

// --------------------------
// Name of this program file.

$_ThisFileName_ = "phpx.php";

// Attach optional custom functions.
// include_once ("path_to_your_custom_function_module.php");


// ------------------------------------------
// Read and execute PHP code entered by user.

$_PHPCode_ = "";

If (@$_POST['PHP_Code'] && $_POST['Execute_Button'])

{
$_PHPCode_ = @$_POST['PHP_Code']; // StripSlashes(@$_POST['PHP_Code']);

Eval($_PHPCode_);
}

print "\n";


// ------------------------------
// Display the modified web page.

print <<< _HTML

<FORM NAME="PHPXForm" METHOD="post" ACTION="$_ThisFileName_">
<BR>
<TABLE CLASS="TxBlack" BGCOLOR="yellow" ALIGN="center" CELLPADDING="4" BORDER="8">

<TR>
<TD VALIGN="middle">

<DIV ALIGN="center">

<B>PHPX - PHP Program Code Tester - PHP v5.x</B>

<BR>

<TEXTAREA WRAP="OFF" NAME="PHP_Code" COLS="80" ROWS="20">

_HTML;

print chop($_PHPCode_);

print <<< _HTML

</TEXTAREA>
</DIV>

<DIV ALIGN="center">
<INPUT NAME="Execute_Button" TYPE="submit" VALUE="Execute Code">
</DIV>

</TD>
</TR>

</TABLE>

</FORM>

<DIV ALIGN="center">
<B>Enter PHP Code to Test Minus the &nbsp; &lt;?PHP &nbsp; and &nbsp; ?&gt; &nbsp; Tags</B>
</DIV>

</BODY>
</HTML>

_HTML;

?>




For example, run the program and then copy/paste the following PHP code into the input text area and test it by clicking the [Execute Code] button.




$F = *8.6; // Fahrenheit degrees

print "$F F = " . F_To_C ($F) . " C";


function F_To_C ($F_Arg)
{
return ($F_Arg - *2) * 5/* ;
}



Try it.

Any code entered into the text area within the page is interpreted as PHP code to be executed.

It can also store and remember variables.


It's not a perfect tool yet, but extremely useful nevertheless for quick code and function testing.

You can also attach your own CSS sheet and external custom PHP functions module to it.



IMPORTANT NOTE
When saving this program as a file, it MUST be named "phpx.php" to work correctly. If you change the file name, then the ACTION file name in the form has to be changed to match or the program will not work.

If anyone here tries out this program, let me know what you think about it, if you find any bugs or have any s***estions for improvement.


DANGER DANGER DANGER
This is a potentially very dangerous program! A hacker could possibly damage your site with it, depending on the security settings of your host, so I strongly recommend that if you use it on your web site, rather than locally, that you password protect access to it.

.

Moonbat
09-14-2007, 11:50 PM
This is actually very helpful, saves me time from having to FTP files back and forth every time I wanna test stuff. Thank you very much for this! :D

JayT
09-15-2007, 12:10 AM
This is actually very helpful, saves me time from having to FTP files back and forth every time I wanna test stuff. Thank you very much for this! :D

Thanks for the feedback. Glad I finally made something useful!

I use it a lot too and it certainly does save me time developing.

However, I already found what may be a minor bug.

The StripSlashes() function interferes with escape codes that need the '\' backslash. The NewLine code '\n' was converted into 'n' without the '\' which caused problems with certain printed output.


Be careful - that program is potentially dangerous to expose to the public. On my site, I renamed it "index.php" and put it into a password protected folder so I could use it for my private code testing.

It can reveal otherwise hidden details about your PHP site to evil hackers that they could theoretically use to compromise or harm your site. It could also reveal security flaws in your web host.

Ezekiel
09-15-2007, 05:54 AM
The StripSlashes() function interferes with escape codes that need the '\' backslash. The NewLine code '\n' was converted into 'n' without the '\' which caused problems with certain printed output.

I haven't really got enough time to look at the context, but I always leave user input unaltered, then use mysql_real_escape_string() when querying a database and run all data originating from the user through htmlspecialchars() before output.

Probably irrelevant, but that's my advice anyway.



Be careful - that program is potentially dangerous to expose to the public. On my site, I renamed it "index.php" and put it into a password protected folder so I could use it for my private code testing.

It can reveal otherwise hidden details about your PHP site to evil hackers that they could theoretically use to compromise or harm your site. It could also reveal security flaws in your web host.

Remote file inclusion, system commands; there's a lot of potential for abuse if you leave something like that accessible to the public. It can essentially act as a PHP shell (though Apache probably wouldn't be running under root).

Moonbat
09-15-2007, 12:23 PM
I always end up putting it on my site for just a few minutes to test code, then delete the page. I use a free host for my 'site' (basically my PHP playground) and they block .htaccess because of ".htaccess abuse".

JayT
09-15-2007, 01:42 PM
...

Remote file inclusion, system commands; there's a lot of potential for abuse if you leave something like that accessible to the public. It can essentially act as a PHP shell (though Apache probably wouldn't be running under root).


Exactly. That's why I advised not allowing public access to it.

But as a development tool, I find it extremely useful and a time saver, which is why I wished to share it.

I hope others find it useful too.

:)

Ezekiel
09-15-2007, 05:25 PM
Yeah; I was just giving examples of the kind of attacks people could expect if they didn't follow your advice.

Useful code nonetheless.

Moonbat
03-23-2008, 12:44 PM
Every time I try to use echo to echo something, for example:

echo "test";
It automatically adds slashes before and after the quotation marks, and I get these errors:


Warning: Unexpected character in input: '\' (ASCII=*2) state=* in /home/ubar/leet/hax.com/phpx.php(58) : eval()'d code on line *

Parse error: parse error, unexpected $ in /home/ubar/leet/hax.com/phpx.php(58) : eval()'d code on line 2
Any fixes I could get for this problem?

JayT
03-23-2008, 11:03 PM
Every time I try to use echo to echo something, for example:

echo "test";
It automatically adds slashes before and after the quotation marks, and I get these errors:

Any fixes I could get for this problem?



in the line


$_PHPCode_ = @$_POST['PHP_Code']; //StripSlashes(@$_POST['PHP_Code']);


There are 2 versions of the $_POST on that line.

Inder PHP4, I used StripSlashes

When I switched to PH5, it wouldn't work correctly, so I modified the line and removed the StripSlashes and left the part I changed as a comment.

I think it also has to do with the INI settings.


It's also a small, simple program, no elaborate error checks, only intended to test small blocks of code and functions.


:)