[pmwiki-users] Re: PHP code in pages
Patrick R. Michaud
pmichaud at pobox.com
Thu Jun 30 08:50:27 CDT 2005
On Thu, Jun 30, 2005 at 11:55:31AM +0000, Anno wrote:
> Nobody has an idea how this could be done?
# WARNING-WARNING-WARNING this can be really dangerous!
Markup('php', '<{$fmt}',
'/<\\?php(.*?)\\?>/e',
"PHPMarkup(\$pagename, PSS('$1'))");
function PHPMarkup($pagename, $php) {
$php = str_replace(array('<', '>', '&'),
array('<', '>', '&'), $php);
ob_start();
eval($php);
$str = ob_get_contents();
ob_end_clean();
return $str;
}
This looks for anything in the markup consisting of <?php ... ?>
and executes it. Any output is displayed in the page at this point.
As the comments indicate, it's *really* dangerous if you have any
reason to mistrust the authors/editors of the pages, since you're
basically allowing them to execute any command on the system.
Pm
More information about the pmwiki-users
mailing list