Jump to content

A new way of web development in LAMP(Linux, Apache,Mysql,Php) technology


Recommended Posts

Posted

Hi,

This post is mainly for web developer who work on PHP development. We often face problem when we need to import or export large amount of data in/out web server. If the server is in cloud then it also creates tough hurdle.

 

Here I have thought a new approch for Php developers and tried to solve the issue. Have a look and go throughly each doc and reply what should be done more.

 

http://worldsenex.in/index.php

 

Thanks in advance

 

Samiul Haque

 

Posted

I don't understand; why are you echoing the actual PHP code? And down the same path, you would be evaluating it (eval()), which doesn't seem very efficient either compared to just including the file. What is your rationale?

Posted

Apart from the "echo" problem, isn't this just a page template implemented, effectively, as server-side includes? I don't see what is new here.

  • 2 weeks later...
  • 2 weeks later...
Posted (edited)

I am very sorry so say you that , none of you went throughly to the explanation in pdf and downloaded the sample code.

See , personally i am working on this LAMP technology for last 6 years and I found the problem that i have already stated on the website worldsenex.in and this approach is the solution.

 

@Sato :

Please go through the explanation properly. Now the answer of your questuion "I don't understand; why are you echoing the actual PHP code?"

See this approach is good for the development of the website which will act like desktop application.

We can not handle a php and html code that is present in a single file just like a php function. obviously this single file will be small in size(they will be the page of small desk top tool like).

And if i need to create php file dynamically on the fly then we have no other choice except this approach.

Here eval acting as PHP engine before submiting whole php page to the server.

 

I have already created 3 projects using this approach , they are desktop tool like and could handle 1 GB of data transfer from local to cloud server after some data conversion very easily. This is not a framework or readymade code. This is a guideline only for the web developer of course experience developer.

Please try to understand the explanation in pdf and download the sample code run it to your local and follow each line carefully then only u will understand otherwise not.

 

@AtomicMaster Yes eval is evil if you dont handle with care. A tiger is so ferocious but if you able to train him properly then you are the king of your locality !!

 

Good Luck.

Edited by Samiul Haque
Posted (edited)
I am very sorry so say you that , none of you went throughly to the explanation in pdf and downloaded the sample code.

 

 

Which pdf? Do you mean approach.pdf ?

Edited by Sensei
Posted (edited)

I still don't see what is new. Why do you think eval() exists? So you can do this.

No actually eval doesn't exist so you can do this, that is only assuming that "this" is what he actually does in his code.

 

In fact PHP doc specifically says:

 

 

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

 

 

 

I am very sorry so say you that , none of you went throughly to the explanation in pdf and downloaded the sample code.

 

 

I read the code, and the pdf is just silly; I also just re-familiarized myself with the sample code, and the people at my coffee shop were a little concerned about the look on my face... What happens there is that you take the fundamental problem in web security, and you extend it from occurring on mysql and javascript sides to also be applicable in php for good measure. The sample code breaks the data/code barrier at every level in the stack, this is not good. You could have just as easily built the $BODY as a function of $name, and then not evaled, but simply executed the function when putting the template together. And that would already be more secure, and it changes only a little syntax.

 

instead of <?php eval($BODY) ?> you would have <?php $BODY(); ?>, and $BODY definition would literally just not have single quotes around the function, and the function name will have to be taken out maybe. The only other thing i can see is that you may have to add global $name in the beginning of the $BODY function to get access to $name. But that would already be much more secure.

Edited by AtomicMaster
Posted

No actually eval doesn't exist so you can do this, that is only assuming that "this" is what he actually does in his code.

 

OK. I'll admit I didn't look at it in much detail. I couldn't see anything worth spending any time on ...

Posted (edited)

@AtomicMaster:" I read the code, and the pdf is just silly;" My be my problem is that i tried but i did not make you understand clearly as because I am weak in english.

eval is still good and helpful if you know how to use it.
"instead of <?php eval($BODY) ?> you would have <?php $BODY(); ?>," This question forced me to realise that you did not understand anything of it what I wanted to make you understand. Here i have no other choice instead of using eval(). My aim is that I will not create many more php pages but I have to find out a way so that a code snipet be used as a php page and when ever I need it, just called the holder and that code snipet will be inserted where I want to insert. Suppose , when i need i may call a ceratin function to perform ceratin task, exactlly same what i want just like it. When ever i want i will call that code snippet.

Example:

scenario 1:
<html>
<header></header>

<body>
<div>Header</div>
<div>Body</div>
<div>Footer</div>

</body>
</html>

In Most of the website the header and footer are static and body part will be changed.
Suppose I need 10 different web pages and each page header and footer will be same and only body part will be changed.

Then what we could do ? we will create 10 different php pages and insert into <div>Body</div>
so the page is like that, body1.php,body2.php.........body10.php,
So it will look like this

<html>
<header></header>

<body>
<div>Header</div>
<div><?php include(body1.php) ?></div>
<div>Footer</div>

</body>
</html>

<html>
<header></header>

<body>
<div>Header</div>
<div><?php include(body2.php) ?></div>
<div>Footer</div>

</body>
</html>
.
.
.
.
.
.

<html>
<header></header>

<body>
<div>Header</div>
<div><?php include(body10.php) ?></div>
<div>Footer</div>

</body>
</html>

Now my approach is that i will not cretae 10 php pages but 10 code snippet
say $snippet1 = '<?php
html
and php code
?>';

$snippet2 = '<?php
html
and php code
?>';

$snippet3 = '<?php
html
and php code
?>';

.
.
.
.
.
.

$snippet10 = '<?php
html
and php code
?>';

And u will use these code snippet in main code like this:
----------------------------------------------------------------
PAGE1:

<?PHP
$BODY = $snippet1
?>
<html>
<header></header>

<body>
<div>Header</div>
<div><?php eval($BODY) ?></div>
<div>Footer</div>

</body>
</html>
---------------------------------------------------------------------

----------------------------------------------------------------
PAGE2:

<?PHP
$BODY = $snippet2
?>
<html>
<header></header>

<body>
<div>Header</div>
<div><?php eval($BODY) ?></div>
<div>Footer</div>

</body>
</html>
---------------------------------------------------------------------


----------------------------------------------------------------
PAGE3:

<?PHP
$BODY = $snippet3
?>
<html>
<header></header>

<body>
<div>Header</div>
<div><?php eval($BODY) ?></div>
<div>Footer</div>

</body>
</html>
---------------------------------------------------------------------
.
.
.
.

.
.----------------------------------------------------------------
PAGE10:

<?PHP
$BODY = $snippet10
?>
<html>
<header></header>

<body>
<div>Header</div>
<div><?php eval($BODY) ?></div>
<div>Footer</div>

</body>
</html>
---------------------------------------------------------------------

Now clear my approach? and hopefully u will understand why I use eval()

Edited by Samiul Haque
Posted (edited)

I have no idea why are you calling it "technology".

It's simply structure of website.

I am almost always having just one index.php that's redirecting body to other pages that have no common start and end.

 

For example:

 

[common header]

if( isset( $_GET[ 'ID' ] ) && file_exists( $_GET[ 'ID' ] ) ) require_once( $_GET[ 'ID' ] );

[common footer]

 

And then using URL rewriting:

http://url/article/ -> ?ID=article.php

http://url/support/ -> ?ID=support.php

http://url/contact/ -> ?ID=contact.php

 

What user sees in browser is on the left.

He has no idea about "ID" code.

 

If I want, I can use

$id = $_GET[ 'ID' ];

if( $id == "stuff" )

{

// do something here

}

else if( $id == "other" )

{

// do something else

}

 

and have just one index.php with entire website.

 

In Most of the website the header and footer are static and body part will be changed.

 

In any serious website, it would means not possible to proper search engine optimizations.

Edited by Sensei
Posted

 

OK. I'll admit I didn't look at it in much detail. I couldn't see anything worth spending any time on ...

I only looked out of courtesy, don't, there really is nothing worth spending time on.

 

 

 

Suppose , when i need i may call a ceratin function to perform ceratin task, exactlly same what i want just like it. When ever i want i will call that code snippet.

Yes, in programming it's called a function, in object oriented programming it is called a member of an object.

 

In Most of the website the header and footer are static and body part will be changed.

Suppose I need 10 different web pages and each page header and footer will be same and only body part will be changed.

Ok, i will try to walk through this in more conventional design pattern to see where what you propose is clearly better.

 

So if i have a static header and footer, i have them in a file called includes.php, and i have 2 functions called header() and footer(). Then if my body is significantly different, then i may create 10 pages, otherwise these pages can be a request to the same php page that will have some variable indicating which body to generate. Suppose that the pages are significantly different, then i will have 10 pages plus 1 include file, with the rough strucuture of the page being:

 

require_once('includes.php');
echo header();
// Body code goes here
echo footer();

 

If i really wanted though i can just as easily keep all the code in one page, and build the page based on some get variable for example. If i wanted to go extreme, the page would never reload and just ajax request all the bits, pages and data.

 

 

 

Now my approach is that i will not cretae 10 php pages but 10 code snippet

Ok, with you, i did that for the second approach and created 10 functions in include.php, you could create 10 pages to use each one of them, or you could create 1 page that serves one according to some rule.

 

 

 

And u will use these code snippet in main code like this:

Why? There is no necessity to eval that code, the eval mechanism use is completely unnecessary, and extremely prone to security issues.

Posted

I think he might be proposing that saving PHP code into a database and then calling that for evaluation after a page is requested is faster than creating new files on the server and include()ing.

Posted

Not sure on speed, but if someone is able to change the evaluated variable they can end up owning another user's session.

 

I hadn't even heard of any real eval hacks for years now, since most everyone avoids it like the plague.

 

"If eval() is the answer, you're almost certainly asking the wrong question."

– Rasmus Lerdorf, creator of PHP

Posted (edited)

@sensi: "In any serious website, it would means not possible to proper search engine optimizations." I am 100% agree with this words. Remember , This approach is for mainly creating tool like website and not for global purposes.

Exampl:

Suppose you need 800MB of txt or excel, or dbf or....data to convert and transfer from your local machine to mysql database directly and the db server is in cloud.

For accomplish this task you have many more tooll available in the market say dbforge, mysql workbench, heidisql but all are desktop tool. U need to install it in your local and use. But here you will face mainly two problems:

  1. You have to install it in your local machine
  2. All of your business requirment will not be resolved by any one of the above tool and you obviously face problem in data mapping.
  3. Besides this You will have many more prob to face....

So you see we dont need SEO for our tool, right? if you need to advertise then U have to do it manually.


@AtomicMaster: Now it looks , u are not so aggressive like the before now. Thanks for that.

 

"Why? There is no necessity to eval that code, the eval mechanism use is completely unnecessary, and extremely prone to security issues."

 

We need eval here. See the code snippet is not just html code into php string. It has php and html. When u create a php page u need to put php and html code right?

Here the snippet will help you to understand clear:'

Example:

test.php and the code is below

 

<?php

 

$snippet10 = '

function test_fun($msg = "",$message_stat = "")
{

$name = "Samiul";

$address = "world,";

$message = $msg;
?>

<table>

<tr>

<td>Name</td>

<td>Address</td>

<td>Message</td>

</tr>

<tr>

<td> <?php echo $name ?></td>

<td> <?php echo $address ?></td>

<td> <?php echo $message ?></td>

</tr>

</table>

 

<?php
}
//end of function
?>

';

 

// Now i could create many more snippet like $snippet10, say $snippet11,$snippet12

 

if($cond == "test1"){

$msg= "WELCOME TO MY WORLD";

$message_stat = 'new_stat';

$BODY = "test_fun($msg,$message_stat);".$snippet10;

}

elseif($cond == "test2"){

$BODY = "test_fun($msg,$message_stat);".$snippet12;

}

elseif($cond == "test3"){

$BODY = "test_fun($msg,$message_stat);".$snippet11;

}else {

-

-

-

}

// You could create more variable like $BODY

?>

<html>
<header></header>

<body>
<div>Header</div>
<div><?php eval($BODY) ?></div>
<div>Footer</div>

</body>
</html>

 

 

So this code snippet you could not use it with out eval(). Because eval() will convert this($snippet10) php and html code to only html code and will add to the required position.

So when ever you need the above code snippet just use $snippet10. And to get the completre HTML from this ($snippet10) you must have to use eval().

Hope you will understand now. The main prob i face is that debugging . Debugging is really tough , and need too much sound knoweledge on php.


@Sato : You are partially right. You could also use this approach by saving the code in DataBase.

I have just show you an approach and how will use it , that will totally depend on you.

 

Thanks

Sato


@Endy0816 : if we able to know how eval() works and have deep knoweledge of it then only we could understand the power of eval().

After its birth so many years it left out untouch and some open source and frame work uses it in thei core file for very small purposes.

Remember , if we handle and use atomic power with care and for good purposes (not for making the atomic weapon) then it will be the boon for human being.

 

Good luck All

Edited by Samiul Haque
Posted

What you are not hearing is that you don't need to use the eval construct to solve this problem, I get that you need to use eval to execute a string; you shouldn't be executing a string to begin with, unless it is absolutely necessary and there just is no other way to do something, which is not the case here. There is no need to use it, there is no reason to use it, it is extremely unsafe and insecure, I hope that this is just an experiment.

<?php

$snippet10 = function($msg = "",$message_stat = "")
{
        $name = "Samiul";
        $address = "world,";
        $message = $msg;

?>
<table>
<tr>
      <td>Name</td>
      <td>Address</td>
      <td>Message</td>
</tr>
<tr>
      <td> <?php echo $name ?></td>
      <td> <?php echo $address ?></td>
      <td> <?php echo $message ?></td>
</tr>
</table>
 
<?php
};
 
// Now i could create many more snippet like $snippet10, say $snippet11,$snippet12
// A -- Not only that, you can even put them in an array or a hash for more intuitive referencing

// This would be much more optimized and cleaner with a switch statement
if($cond == "test1"){
    $msg= "WELCOME TO MY WORLD";
    $message_stat = 'new_stat';
    $BODY = $snippet10($msg,$message_stat);
}
elseif($cond == "test2"){
$BODY = $snippet12($msg,$message_stat);
}
elseif($cond == "test3"){
$BODY = $snippet11($msg,$message_stat);
}else {
-
-
-
}
         // You could create more variable like $BODY
?>
<html>

<header></header>



<body>

<div>Header</div>

<div><?php $BODY ?></div>

<div>Footer</div>



</body>

</html>

@Endy0816

Oh how I wish that was true... I give this exactly 2 minutes:

 

http://www.exploit-db.com/exploits/30471

http://packetstormsecurity.com/files/118420/Network-Shutdown-Module-3.21-Remote-PHP-Code-Injection.html

http://www.exploit-db.com/exploits/27941

http://www.exploit-db.com/exploits/22929

 

*Shrug. Thats from just a quick exploit-db search...


Also i am not trying to be aggressive, I understand that i can come off as such, but it is for a good reason. Security and software are one of the very few passions of my life, so sometimes i can get a bit too passionate about it and defy my typically very respectful social convention. It's not because i don't like you, it is because i believe that any software should be secure and safe for the users who use it.

Posted (edited)

@AtomicMaster: oh my God! , I thought you are expert of php but now its clear you dont know any thing, and even php language grammer.

 

And I think you should go throughly about the manual of PHP eval().

 

Besides it you have changed my code

 

I have written

$BODY = "test_fun($msg,$message_stat);".$snippet10;

 

and you modified it to

$BODY = $snippet10($msg,$message_stat);

 

If you have minimal knoweledge of php then you understand why i have written

$BODY = "test_fun($msg,$message_stat);".$snippet10;

 

and even why i am using eval().

 

And one more thing what i want to show the world about the new approach , you are far far away from this.

 

Sorry AtomicMaster , I am expecting reply from best mind of computer science in the world and who are really expert and have depth knoweledge in PHP.

Edited by Samiul Haque
Posted (edited)

@Endy0816 : if we able to know how eval() works and have deep knoweledge of it then only we could understand the power of eval().

After its birth so many years it left out untouch and some open source and frame work uses it in thei core file for very small purposes.

Remember , if we handle and use atomic power with care and for good purposes (not for making the atomic weapon) then it will be the boon for human being.

 

I do understand the power of eval, I understand the power of eval to allow hackers to execute their code on your page.

 

PHP: eval - Manual

 

(PHP 4, PHP 5)

evalEvaluate a string as PHP code

 

Caution

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

http://br2.php.net/manual/en/function.eval.php

 

It is quite possible you might be able to safeguard your own variables. Now can you make the same claim for everyone else who might use your method? If not, then you are exposing them to unnecessary risk and worse not even acknowledging this fact.

 

It is certainly not just us saying this. You can look up "eval hacks php", "eval alternatives", "eval is evil" and see much the same.

 

 

 

What is old is new again :blink:

 

I can't say I'm huge on security for anything I don't have a personal stake in, but I do like to see it done well if at all possible.

Edited by Endy0816
Posted (edited)

You even dont know the functionality of eval().

 

Not only do i know the functionality of eval, and how it is implemented (in php and javascript), i know first hand of ease of exploitation of eval...

 

 

Besides it you have changed my code

 

I most certainly did, to make it saner... and to make the same exact paradigm work without evaling code. Not only does my version of your code achieve the same result, my redacted version of your code is simpler, securer, faster and shorter...

 

 

If you have minimal knoweledge of php then you understand why i have written

 

I know why you wrote it. I am still trying to get through to you that you don't actually need to do what you did, that eval is unnecessary for what you are trying to do, and that what you are doing is nothing new. You call the function that will be defined when the eval runs, and append the function definition to the string before you eval the block.

 

 

and even why i am using eval().

 

needlessly, carelessly and insecurely

 

What happens in your code when i say that my name is system([some command])

 

Well, let's test it:

php > $a='function p($name){ echo "hello $name"; }';
php > $b='alex';
php > $c="p($b);".$a;
php > eval($c);
hello alex
So what does happen?
php > $a='function p($name){ echo "hello $name"; }';
php > $b="system('uname -msr')";
php > $c="p($b);".$a;
php > eval($c);
hello Darwin 13.1.0 x86_64

Oh look i just dropped out to a shell and i didn't even have to try...
Let's try a normal design:
php > $a=function($name){ echo "hello $name"; };
php > $b='alex';
php > $a($b);
hello alex
hey look it works the same...
But what happens when i try to exploit it?
php > $a=function($name){ echo "hello $name"; };
php > $b="system('uname -msr')";
php > $a($b);
hello system('uname -msr')

So it's shorter, simpler and more secure; POINT!

Edited by AtomicMaster
Posted (edited)

 

 

hey look it works the same...
But what happens when i try to exploit it?
php > $a=function($name){ echo "hello $name"; };
php > $b="system('uname -msr')";
php > $a($b);
hello system('uname -msr')

So it's shorter, simpler and more secure; POINT!

 

@ AtomicMaster My heartiest thanks to you that you have gone deeply into what i have tried to make you understand all.

See , you are seeing this from a single side. Lets try from a broad view. OK? Lets use for webbrowser.

<?php

function($name)

{

echo "hello $name";

 

?>

<!------------------------------------------------------------------------------------------------------------------------------------------ -->

i have here 1000 lines of HTML code and some php code inside html tag, this is what happened in reality.

example :

 

<tr>

<td> <?php echo $name ?></td>

<td> <?php echo $address ?></td>

<td> <?php echo $message ?></td>

</tr>

Here you are seeing php and html is marged. And assume, like this we have 1000 lines of html and php code

<!------------------------------------------------------------------------------------------------------------------------------------------ -->

<?php

};

?>

 

Now say , how you will write using your last coding style? that is simple and shorter, simpler and more secure; ??

 

I do understand the power of eval, I understand the power of eval to allow hackers to execute their code on your page.

 

http://br2.php.net/manual/en/function.eval.php

 

It is quite possible you might be able to safeguard your own variables. Now can you make the same claim for everyone else who might use your method? If not, then you are exposing them to unnecessary risk and worse not even acknowledging this fact.

 

It is certainly not just us saying this. You can look up "eval hacks php", "eval alternatives", "eval is evil" and see much the same.

 

 

 

What is old is new again :blink:

 

I can't say I'm huge on security for anything I don't have a personal stake in, but I do like to see it done well if at all possible.

 

Lets think first to build a big building of 100 storied and there are more people in the world to make it strong and safe for earthquake.

Clear?

Edited by Samiul Haque
Posted (edited)
Now say , how you will write using your last coding style? that is simple and shorter, simpler and more secure; ??

 

 

This is simpler:

 

<?php

printf(

"<tr>

<td>$name</td>

<td>$address</td>

<td>$message</td>

</tr>" );

?>

Edited by Sensei
Posted

 

This is simpler:

 

<?php

printf(

"<tr>

<td>$name</td>

<td>$address</td>

<td>$message</td>

</tr>" );

?>

R you joking? where there are 1000 lines of html, php, JS, css code in to a single file and you will write it into printf function.? Please stop this nonsense. I am expecting some brilliant thoughts.

Posted (edited)

See , you are seeing this from a single side. Lets try from a broad view. OK? Lets use for webbrowser.

<?php

function($name)

{

echo "hello $name";

 

?>

<!------------------------------------------------------------------------------------------------------------------------------------------ -->

i have here 1000 lines of HTML code and some php code inside html tag, this is what happened in reality.

example :

 

<tr>

<td> <?php echo $name ?></td>

<td> <?php echo $address ?></td>

<td> <?php echo $message ?></td>

</tr>

Here you are seeing php and html is marged. And assume, like this we have 1000 lines of html and php code

<!------------------------------------------------------------------------------------------------------------------------------------------ -->

<?php

};

?>

 

Now say , how you will write using your last coding style? that is simple and shorter, simpler and more secure; ??

I am failing to understand what you are asking me to do. The amount of code in the middle is irrelevant, i mean, unless maybe the 2000 lines of html and php code supposed to do something? Am I supposed to write 2000 lines of code? I don't get it. Can you please formulate a problem? Perhaps give me a sample of code that you would like to see re-expressed as i did above. Please be mindful of my time.

 

Also please don't think that this is how I write code, i'm only using this pattern to directly change your code to work without eval, I never serve CSS or JS out of PHP (except if i use a CSS+JS minifier, which acts on static files and runs at caching layer anyways and so doesn't serve the web browser or any html), and i typically build functions/members around html, because i hate repeating even the html code. I also hate jumping out of PHP, so in 99 out of 100 situations my php code has only the php open tag in the beginning of the file.

Edited by AtomicMaster
Posted

cIH8roj.png

 

 

I'll just leave this here...

 

are you looking my website like this? Please clear?

I am failing to understand what you are asking me to do. The amount of code in the middle is irrelevant, i mean, unless maybe the 2000 lines of html and php code supposed to do something? Am I supposed to write 2000 lines of code? I don't get it. Can you please formulate a problem? Perhaps give me a sample of code that you would like to see re-expressed as i did above. Please be mindful of my time.

 

Also please don't think that this is how I write code, i'm only using this pattern to directly change your code to work without eval, I never serve CSS or JS out of PHP (except if i use a CSS+JS minifier, which acts on static files and runs at caching layer anyways and so doesn't serve the web browser or any html), and i typically build functions/members around html, because i hate repeating even the html code. I also hate jumping out of PHP, so in 99 out of 100 situations my php code has only the php open tag in the beginning of the file.

Please see my sample code in worldsenex.in under "See the system approach" link. There you will see how i use the code and yes HTML, CSS ,JS will be neeted in code snippet.

My Last request , please try to understand my approach seeing and analysis my sample code in worldsenex.in

 

Good luck

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.