php code in article

[gph]

Hi to all,

I have a little problem with the use of php code in records.
I need this feature to put latets version of my program stored in MySql without editing article.
An another program somewhere in the world put the good version in the database.

I put a code like :
<B>Test <?php phpinfo(); ?></B>
in my faqdata table and content field to avoid parse of admin editor.
But the result is :
Test phpinfo(); ?>

The result is the same with or without the parse_code true or false.

What may i wrong ?


Here details of my config :
phpMyFAQ Information
Visites 83
Articles 5
Commentaires 0
Questions ouvertes 1
System Information
phpMyFAQ Version phpMyFAQ 1.5.5
Server Software Apache/1.3.33 (Debian GNU/Linux) mod_fastcgi/2.2.12 mod_perl/1.29
PHP Version PHP 4.3.10-2
Register Globals on
Safe Mode on
Database Client Version 3.23.56
Database Server Version 4.1.7-Debian_4-log
Webserver Interface PXCGI

Thanks a lot for your help.
Philippe.


[/b]

[matteo]

Hi gph,
your issue is a bug introduced after some injection prevention improvements.
Please locate, in the file [PATH_TO_PMFINSTALL]/inc/parser.php, the function processTemplate and replace it with this one below:

Code: Select all

	function processTemplate($templateName, $myTemplate)
    {
		global $PMF_CONF;

        $tmp = $this->templates[$templateName];

        // Security measure: avoid the injection of php/shell-code
        $search  = array('#<\?php#i', '#\{$\{#', '#<\?#', '#`#', '#<script[^>]+php#mi');
        $phppattern1 = "<?php";
        $phppattern2 = "<?";
        if (isset($PMF_CONF['parse_php']) && $PMF_CONF['parse_php'] == 'TRUE') {
            $phppattern1 = "<?php";
            $phppattern2 = "<?";
        }
        $replace = array($phppattern1, '', $phppattern2, '', '' );

        foreach ($myTemplate as $var => $val) {
            $val = preg_replace($search, $replace, $val);
            $tmp = str_replace('{'.$var.'}', $val, $tmp);
        }

        if (isset($PMF_CONF['parse_php']) && $PMF_CONF['parse_php'] == 'TRUE') {

        	$phpstart = '<?php';
        	$phpstop = '?>';

            while ($strstart = strpos($tmp, $phpstart)) {
                $substr = substr($tmp, $strstart + strlen($phpstart));
            	$strstop = strpos($substr, $phpstop);
            	$phpcode = substr($substr,0,$strstop);

                ob_start();
                eval($phpcode);
                $phpcodecontent = ob_get_contents();
                ob_end_clean();

            	$output = substr($tmp, 0, $strstart).$phpcodecontent.substr($tmp, $strstart + strlen($phpstart) + $strstop + strlen($strstop));
        	    $tmp = $output;
            }
        }

		if (isset($this->outputs[$templateName])) {
			$this->outputs[$templateName] .= $tmp;
        } else {
			$this->outputs[$templateName] = $tmp;
        }
    }

Please, test the fix and give us a feedback

[gph]

Hi matteo,

It's ok for PHP code but it's remain a little bug.

The links at top of page (help, ask question, add recodrs, ...) was blank (only when there is a php code to run).

You can see the result here :
http://www.scolaconcept.com/Faq/index.p ... artlang=fr

Thank a lot for your help.
Congratulation at the team of MyFaq, it's a very good product.

Philippe.

[matteo]

It's ok for PHP code but it's remain a little bug.

The links at top of page (help, ask question, add recodrs, ...) was blank (only when there is a php code to run).

You can see the result here :
http://www.scolaconcept.com/Faq/index.p ... artlang=fr

Hi Philippe,
I've just seen the effect on your faq, the link are there: try to select the text on the page or look at the HTML source. I'm not able to reproduce it on my installation: it seems that something is breaking the default PMF CSS, "Espace Clients Scol@ concept" is over a white background and that is the reason why the other links disappear 'cause they are printed with a white ink.
Please try a more simple PHP code such as

Code: Select all

<?php print "Test"; ?>

in order to evaluate if the issue in your system is driven by the extra HTML code printed out by phpinfo().

Regards,
Matteo

[gph]

Hi Matteo,

It's good with print "Test".

If it's only phpinfo who made bug in CSS it's not a problem for me.
I've tried with phpinfo for test but it's not usefull.

Thanks a lot and merry chrismass.

Best regards, Philippe

[jazcyk]

I just tried myself writing PHP code in an article entry. I gave it up and attached as a file instead. Will it be fixed with 1.5.6 ?

[Thorsten]

Hi,

how do you tried it?

bye
Thorsten

[jazcyk]

Simply pasted it in.

Tried from Wysiwyg and HTML-view. In both cases it displayed 'strange' in the browser. Did I overlook a CODE-tag of some kind ?

[Thorsten]

Hi,

put a <code> tag around the PHP code and it should work.

bye
Thorsten

[jazcyk]

I have a problem with attachments folders created by the phpmyfaq code (the Admin Panel) itself at runtime. Folders like .../faq/attachments/47. There is no similar problems with folders created at installation. However the problems are the same with PDF and XML documents created by phpmyfaq.

The problem is that I do not have FTP-access to those folders. I also cannot change priviege. The user credentials used with FTP work fine everywhere else on the server!

Only way is to log on as ROOT from a remote SSH-shell.

The server is our own dedicated server running Red Hat. The server is hosted at an ISP.

Can somebody posible help to explain what is the reason for this. A general privilege issue related to PHP, maybe ??

For the future I will simply not use the Admin Panel for creating attachments but create the folder .../faq/attachments/47, copy files and CHMOD everything - all from FTP. That works fine - you only have to know the id -number of the record in the database and use it for the folder name. So it is not a big deal. But I would like to understand what is happening!

sorry .. that should have been a new thread ...

[jazcyk]

the code-tag functions.
http://www.webyog.com/faq/21_30_en.html

But
1) it inserts an additional leading and trailing PHP-code tag, but I can strip then before inserting
2) things get messed up once you open it again in HTML-view.

CODE and QUOTE tag buttons requested from WYSIWYG - just like in this Forums software !!!

But Thorsen ... you too are welcome to read the FAQ that I link to above and propose a better script!

[Thorsten]

Hi,

the PHP code looks correct now?

bye
Thorsten

[jazcyk]

well .. yes. As you can see. http://www.webyog.com/faq/21_30_en.html

When using the <code> tag it did double the php-tags like:

Code: Select all

<?php
<?php
.
.
?>
?>

Does that mean that the <code> tag isself generates PHP style code -tags like

Code: Select all

<?php
?>

?

Not a problem but someone may want to display other sorts of code. Plain HTML / XML for instance.


I still request a CODE button from Wysiwyg editor!

[Thorsten]

Hi,

ah, okay...

I still request a CODE button from Wysiwyg editor!

just look at the drop down menu where you can see "heading 3".

bye
Thorsten

[jazcyk]

With phpmyfaq 1.5.5 using IE it it not possible to place the curser inside the 'body' window. Any change of 'typography' raises an [object error].

Using Firefox it is not possible to select 'CODE' it switches back to 'Header 3'

Can you reproduce some of that? I might test on another machine and with Firefox on Linux too.