0

Is it possible to post PHP code by an html form and then run it as PHP?

something like this

<form action="#" method="post">
<textarea name="code"></textarea><br>
<input type="submit" value="Run!">
</form>

<?php

if (!empty($_POST['code'])) {
    $_POST['code'];  // Run the Posted PHP code here
}

?>

so if i type

<?php echo 'this is a test'; ?>

in my textarea and then send the form it will echo "this is a test" out

EDIT AFTER ANSWERS

thank you guys i didn't knew eval() function, i guess i can also do this for security against hackers:

<form action="#" method="post">
<textarea name="code"><?php echo $_POST['code']; ?></textarea><br>
<input type="password" name="pass"><br>
<input type="submit" value="Run!">
</form>

<?php

$pass = 'A SHA2 HASHED PASSWORD';
if (!empty($_POST['code']) && $pass == hash('sha384',$_POST['pass'])) {
    eval($_POST['code']);  // Run the Posted PHP code here
}

?>
Vladimir
  • 1,602
  • 2
  • 18
  • 40
  • 8
    yes, see eval: http://php.net/eval BUT you shouldn't do it. – Twisted1919 Jun 28 '13 at 12:41
  • 1
    It can be done, but that could be disastrous. – Dave H Jun 28 '13 at 12:42
  • As @Twisted1919 said; it is possible, but highly dangerous stuff. You should consider another approach. – OptimusCrime Jun 28 '13 at 12:42
  • 4
    Please tell us what problem you're trying to solve this way, so we can suggest a better solution. See [What is the XY problem?](http://meta.stackexchange.com/q/66377) –  Jun 28 '13 at 12:43
  • if you are not sure about security and have uploaded this script with `eval();`, you can tell us the url to see what happens after a few minutes – Daniel W. Jun 28 '13 at 12:46
  • it will run correctly only without '' – bbldzr Jun 28 '13 at 12:49
  • @delnan i'm trying to do this so i can test and run php codes anywhere without the need to install MAMP etc or login to cpanel and upload my code, i guess i can protect this page by a sha256 hashed password stored in the file too? – Vladimir Jun 28 '13 at 12:50
  • Use it on your own risk. And some security will be useful. – bbldzr Jun 28 '13 at 12:51
  • 2
    @Ara - oh, so you are trying to built a c99 shell, that's interesting. That's the word now, testing ? – Twisted1919 Jun 28 '13 at 12:51
  • @Ara use `.htaccess` and `.htpasswd`. you might have to tweak with encoding and escaping if you use `eval();` – Daniel W. Jun 28 '13 at 12:51
  • I would be very wary about using eval in this way. What's to stop someone creating their own form and doing a POST to your page ? – James P. Jun 28 '13 at 13:05

4 Answers4

3

Using eval() is generally a bad idea and I don't recommend it.

Here are some reasons why:

  • Potential unsafe input: Passing an untrusted parameter is a way to fail. It is often not a trivial task to make sure that a parameter (or part of it) is fully trusted.

  • Trickyness: Using eval() makes code clever, therefore more difficult to follow. To quote Brian Kernighan "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it"

(from #951373)

If you really should, you can use it like this:


<?php

if (!empty($_POST['code'])) 
{
    $code = $_POST['code']
    eval($code);
}

?>

I hope this helps.

Community
  • 1
  • 1
Amal Murali
  • 75,622
  • 18
  • 128
  • 150
  • Very dangerous code imo. If unchecked, virtually anyone could send a POST with their own code. I'd add an internal check to verify the source and some hash loaded from a DB. But not ideal. – James P. Jun 28 '13 at 13:07
  • 1
    ... which is why I said "I don't recommend it". – Amal Murali Jun 28 '13 at 13:08
  • I noticed. Just pointing out the problems it can bring. Another solution would be to save the php code to a DB and fetch it using an id. This way limits any outside tampering. – James P. Jun 28 '13 at 13:16
2

It is possible to use the eval(); function http://php.net/eval

eval($_POST['code']);  // Run the Posted PHP code here

Keep in mind that this is often abused by hackers (code injection).

If you want to use PHP on travel without upload or login,

I strongly recommed php codepad not to risk your server: https://www.google.com/search?q=codepad+php&ie=utf-8&oe=utf-8&aq=t

Daniel W.
  • 31,164
  • 13
  • 93
  • 151
  • thank you, yes thats exactly what i need, i want to use php when im not home, how about my Edited code above, is it still not safe? as it uses a hashed sha2 pass – Vladimir Jun 28 '13 at 13:12
  • It's not safe if pass is visible somewhere, say in a form, as the value could be simply copied and used again. – James P. Jun 28 '13 at 13:17
  • 2
    The password is lowering the vulnerability, but it's not 100% "secure". Especially if you don't use HTTPS. There's also the possibility that you will put in code that wracks your own server by accident. – Daniel W. Jun 28 '13 at 13:34
  • As commented above, if you have to use this solution and not an alternative, what you can do is find a way to pass information internally if the source and target page are on the same web space. If they're not, maybe you could have a callback pattern where page A sends a POST to page B and then page B sends something back expecting some kind of coded response in return. – James P. Jun 29 '13 at 01:39
2
<form action="#" method="post">
<textarea name="code"></textarea><br>
<input type="submit" value="Run!">
</form>

<?php

if (!empty($_POST['code'])) {
    eval($_POST['code']);  // Run the Posted PHP code here
}

?>
bbldzr
  • 151
  • 8
1

you can also backtrack by keeping the action tag same as the name of the .php file.

Aakash Agrawal
  • 94
  • 4