[pmwiki-users] Include PHP Script in Page Markup

Patrick R. Michaud pmichaud at pobox.com
Thu Aug 10 11:12:23 CDT 2006 

On Thu, Aug 10, 2006 at 11:25:16AM +0200, Clemens Gruber wrote:
> Thomas -Balu- Walter wrote:
> 
> >On Wed, Aug 09, 2006 at 09:58:22PM +0200, Clemens Gruber wrote:
> >  
> >
> >>Is there a markup like
> >>(:includephp special-mailform.php:)
> >>
> >>to embed a PHP sciipt in a PmWiki page. In the most cases this shouldn't 
> >>be a security risk - even if in an open wiki - when to user is not able 
> >>to load a own script to the server. Can anybody help me?
> >>    
> >>
> >
> >It might get one though. PHP allows to include files from other
> >webservers using include('http://...'). So you'd have to do some sanity
> >checks to make sure it's only a filename and that it might be loaded
> >only from a special directory?
> >
> 
> Hi Balu,
> 
> thats not the problem. The PHP scirpt is on the same server. And you can 
> disable the including form other Server in the Apache config. The 
> problem is the markup code for something like
> 
> (:includephp script.php:)

Is the script designed to be embedded within another page?  Most
scripts know to output their own <html>..<head>..<body> tag sequences,
so if script.php does this then it won't render correctly within
the context of another page (unless you use a frame or iframe of
some sort).

There's also the issue that the output of the script needs to be
inserted into the output at the point of the (:includephp:) line.
For a variety of reasons, PmWiki processes *all* of its markup
before doing any output, so if script.php generates any output
directly (as most scripts do), then that will end up being sent
to the browser well before PmWiki's output begins.  What has
to happen is that the output from script.php has to be captured
and then inserted into PmWiki's output stream at the appropriate
place.

All that said, the easiest first step might be to try the
IncludeUrl recipe and see what happens.

If you really want to include a php script directly, then perhaps
something like:

    function IncludePHP($pagename, $script) {
      ob_start();
      include($script);
      $html = ob_get_contents();
      ob_end_clean();
      return $html;
    }

    Markup('includephp', 'directives',
      '/\\(:includephp (.*?):\\)/e',
      "Keep(IncludePHP(\$pagename, '$1'))");

All of Balu's security concerns are correct -- as written here it 
would be easy for a malicious author to do some nasty mischief.
This is just to give some idea of how to create the markup in the
first place.

Pm

More information about the pmwiki-users mailing list