DJ Mike's Tutorials: PHP

Working With Files

Source Code Viewer

< ^ >

Security

There are several ways you can make a source code viewer but before I show one, I'll show how a source code viewer can be a security risk. When you make a source code viewer, you need to use a function that accepts a URL as an argument. Most functions that accept a URL as an argument can also accept a file path as an argument. If you enter a file path instead of a URL, the source code viewer will not just show the HTML code, it will also show the PHP code. This isn't a problem with external web pages because file paths will not work for them but it makes it so that someone can see the PHP code on all allmost all of your pages.

Using Javascript to validate the input is not a solution. Someone can easily copy the form and remove the Javascript to bypass it. Putting the source code viewer in a directory with "safe" files is not a solution because someone can use relative paths to check out any directory. Even having an index.html page hiding the files in a directory may not be a solution. Supose you have a "test bed" some where in you files and a hacker finds it. Using it, a hacker could enter a form with the code to list all the files in a directory.

Source code viewer with file_get_contents()

I chose file_get_contents() for this example because it will read a file as one long string variable. Other functions, like file(), readfile() and fopen() will read a file as an array. Later on, if you want to modify part of the source code and the part being modified starts in one member of the array and ends in another, you job is much more complex. An example of this is removing multi-line javascript. file_get_contents() requires PHP5

Show Example Show Source Code Text Hide

Show Example Show Source Code Text Hide
  1. <?
    # prevent sourcing of your PHP files
    if ( isset($_GET[url]) && !preg_match("@^http://@i", "$_GET[url]", $x)  )
    {     
    echo     "URL's start with http://";
    exit;     
    }
    ?>
    Before doing anything, check to see if anything was entered into the form and if what was entered starts with http://. All other tests a nested into this.
  2. <?
    if     ( isset($_GET[url]) )
    {
    /*
    read surce code into a string
    suppress PHP error messages
    die if can't read file
    */
    @$string = file_get_contents($_GET[url]) or die("Cannot read $_GET[url]");
    ?>
    Does case insensitive check of the beginning of the input to make sure it starts with http and shows error message if it does not. The @ supresses the PHP error message so only ypur error message shows. Prevents PHP sourcing of your own files. (See Regular Expressions)
  3. <?
    $string     = file_get_contents($_GET[url]) or die("Cannot read $_GET[url]");
    ?>
    Use file_get_contents() to read a file and assign the contents to $source. If the file cannot be read or is not valid then die.
  4. When file_get_contents() converts the source code into a string, all of the line breaks are lost. You can use str_replace() to add line breaks to make it more readable.
  5. Use htmlspecialchars() to escape all of the angle brackets so you can show the source code within a textarea.
< ^ >


Created by DJ Mike from Santa Barbara

DJ Mike


Dance Away Santa Barbara's Home Page
<a href="http://www.statcounter.com/" target="_blank"> <img src="http://c5.statcounter.com/counter.php?sc_project=1321035&java=0&security=da2193dc" alt="counter free hit invisible" border="0" /></a>