-3

Could someone point out what I'm mistaking here? :)

<?php

$q = $_GET[q];

$acuman = <<<PARSE

input: (contains: "hello"){

output: "hello";

}

PARSE;

$acuman = str_replace("input: (contains: ", 'if(strpos(', $acuman);

$acuman = str_replace("){", ', $q) !== false) {', $acuman);

$acuman = str_replace("output: ", '$output = ', $acuman);

eval($acuman);

?>

I'm attempting to execute the string $acuman, a heredoc which has been altered by various str_replace functions. However, it is not doing what I intend it to do, and I am confused as of what to do as I've tried many different things.

Since many people seemed confused: My intention is for the code in the string $acuman to be executed as code properly. I just want the eval function to work. I know that eval is evil, please, stop: I'm just asking for help for solving the problem at hand.

Edit: When I echo the string $acuman, this is what I get:

if(strpos("hello", $q) !== false) { $output = "hello"; }

seanlevan
  • 1,367
  • 3
  • 15
  • 33
  • Saying something is "not doing what you intend to do" without telling what you intend to do is pretty much useless – PeeHaa Feb 06 '15 at 23:30
  • 1
    Why are you doing this? And print out $acuman and see what it actually contains – ElefantPhace Feb 06 '15 at 23:31
  • 1
    The biggest mistake you're making is using `eval ()`, doubly so if you're including user input. I can't really work out what you're trying to achieve here, but there has to be a better way. –  Feb 06 '15 at 23:32
  • I want to execute the code. @PeeHaa – seanlevan Feb 06 '15 at 23:39
  • I strongly disagree with Hobo Sapiens, using eval is a valid way to solve certain classes of problems, however it is far from clear what the problem you are trying to solve here is. What is *very* wrong is trying to implement a translation parsing engine which does not acknowledge the structure of the input. – symcbean Feb 06 '15 at 23:39
  • I am not asking for advice of how to approach my engine or the intent, just how to get `eval()` working to execute the code. @symcbean – seanlevan Feb 06 '15 at 23:41
  • I did print out $acuman and I saw what it actually contained, I just need help executing the code with the function eval. What's so hard to understand about that? @ElefantPhace – seanlevan Feb 06 '15 at 23:42
  • Eval is *not* executing the code. What's hard to understand?? @PeeHaa – seanlevan Feb 06 '15 at 23:46
  • Did you echo out $acumen and make sure the replaces are producing valid PHP code? – developerwjk Feb 06 '15 at 23:51
  • Yes, I did. @developerwjk – seanlevan Feb 06 '15 at 23:52
  • Maybe you should put that printout in the question. Somebody might catch a syntax error. – developerwjk Feb 06 '15 at 23:52

2 Answers2

1

You have the arguments in the wrong order:

if(strpos($q, "hello") !== false) { $output = "hello"; }

strpos() takes the "haystack" (string being searched) as the first argument and the "needle" (string to find as within the "haystack") as the second argument.

AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • Thanks! You *actually* answered the question without griping about `eval()`. – seanlevan Feb 07 '15 at 00:14
  • 1
    There are those that have some misguided hatred for `eval` and decry it at every opportunity, whether they are knowledgeable or not, there are those that see newbs using it in ways they shouldn't and so shout it down, and there are those that see it as the useful tool that it is. – AbraCadaver Feb 07 '15 at 00:35
-1

Ok, so... $acuman appears to contain the following:

if(strpos("hello", $q) !== false) {
  echo "hello";
}

Which indicates that $q needs to contain a portion of "hello" to echo the string "hello".

I don't see any problem here, EXCEPT that $q = $_GET[q]; won't work with any modern version because q is treated like a constant, not a variable nor a string literal array index. See this PHP documentation on the subject.

Upon changing to $q = $_GET['q']; instead (note the quotes), it seems like this code actually works. It will output "hello" whenever passing any portion of "hello" to the URL parameter (which gets passed to the PHP code).

Needless to say: Do not use this code for production. The code as it is is very vulnerable and allows a user to pass raw PHP code through to your script to execute. The function of this code can be completely re-written in a much safer manner, but you have expressed the desire to continue using eval(); so please be careful.

Enjoy.

nxasdf
  • 1,088
  • 1
  • 11
  • 11
  • Thanks for the warning while still staying civil! :) – seanlevan Feb 06 '15 at 23:57
  • Also, it's odd that `$_GET[q]` doesn't work even though it's incorrect, because I have done that many times before. Still, good answer. – seanlevan Feb 07 '15 at 00:00
  • How are you executing the script? By URL? What is the complete URL you're calling? – nxasdf Feb 07 '15 at 00:01
  • 1
    Make it equal `.php?q=ell` and it should work. `hellodude` is not contained in `hello` which is what your script is doing. Unless, you want the code to work the other way around and check for `hello` inside `hellodude` which would work, but you need to change the code. – nxasdf Feb 07 '15 at 00:06