#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0

    Function reference


    I have code that looks like this:

    Code:
    eval("\$homepage = function() { \$ch = curl_init('http://www.telenetcentral.es/imagebank/productos/caraudio/varios/VUL14BOTE11.htm'); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); curl_setopt(\$ch, CURLOPT_BINARYTRANSFER, true); \$content = curl_exec(\$ch); curl_close(\$ch); return \$content; } ;" );
     echo $homepage;
    If i run this code, i get this error:

    'Catchable fatal error: Object of class Closure could not be converted to string'

    I realize that it's because i need it too say: echo $homepage().

    But, is there any way that i can assign the return value of the function to $homepage without making $homepage a function?

    Thanks.
  2. #2
  3. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    12
    Just don't make it a closure:

    PHP Code:
    eval("\$ch = curl_init('http://www.telenetcentral.es/imagebank/productos/caraudio/varios/VUL14BOTE11.htm'); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); curl_setopt(\$ch, CURLOPT_BINARYTRANSFER, true); \[B]$homepage = curl_exec(\$ch);[/B] curl_close(\$ch); " );
    echo 
    $homepage
    Though why are you using eval instead of just writing out the code?
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,904
    Rep Power
    1045
    What are you doing there??

    I don't know if you're taking part in some obfuscation contest, but this is the most obscure code and problem I've seen in a long time.

    Just define a normal function (without eval), call it and assign the return value to $homepage. If you really need a closure, put it in a different variable and then do the same.
  6. #4
  7. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    12
    Originally Posted by Jacques1
    What are you doing there??

    I don't know if you're taking part in some obfuscation contest, but this is the most obscure code and problem I've seen in a long time.

    Just define a normal function (without eval), call it and assign the return value to $homepage. If you really need a closure, put it in a different variable and then do the same.
    When I looked at this at first I thought, hmmm, this look a little like the beginnings of some of those hacks that infect wordpress sites, you know where they insert something like:

    PHP Code:
    eval( 'aweiufhaw98efha9w8ehfiuah3o28fhao8wehfo8a734yfo8a74'); 
    which is really some piece of code that injects spam into your web page ... anyway hopefully its not ...
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    First, thanks for all of the fast replies. Actually, this is for a Magento plugin. I am providing a way for admins to enter a calculated field during the CSV import. Here is the actual code in my extension:

    Code:
    eval("\$strEval = \"$strColumn\";"); 	
    $itemData[$field] = isset($strEval) ? $strEval : null;
    The admin provides $strColumn. I'm trying to figure out how the user could provide a function that would return a value that would be assigned to the $strEval variable.

    Thanks again
  10. #6
  11. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    12
    If it's close to your first code, couldn't you do:
    PHP Code:
    eval("\$strEval = \"$strColumn\";");     
    $itemData[$field] = !empty($strEval()) ? $strEval() : null

    Comments on this post

    • Jacques1 disagrees : When somebody is about to shoot himself in the foot, do you tell him what's the best gun for that?
  12. #7
  13. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    12
    Hmmm, actually that might be a tad expensive doing it twice. What about:

    PHP Code:
    eval("\$strEval = \"$strColumn\";");      
    $newStrEval $strEval();
    $itemData[$field] = !empty($newStrEval) ? $newStrEval null
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by msteudel
    If it's close to your first code, couldn't you do:
    PHP Code:
    eval("\$strEval = \"$strColumn\";");     
    $itemData[$field] = !empty($strEval()) ? $strEval() : null
    The problem is that right now, if they provide inputs such as: (i get rid of the eval: part)

    eval:'Static text'
    eval:column[1] + column[3]

    the value is assigned to $strEval correctly. But I'm trying to figure out how to make it so they can write a function such as:

    Code:
    eval:function() { \$ch = curl_init('(URL address blocked: See forum rules)); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); curl_setopt(\$ch, CURLOPT_BINARYTRANSFER, true); \$content = curl_exec(\$ch); curl_close(\$ch); return \$content; }
    and have it still work without turning $strEval into a function.
  16. #9
  17. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    12
    And magento requires that you return a function?
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by msteudel
    And magento requires that you return a function?
    No. The reason I'm using eval() is because I'm giving the admin the ability to enter php code in the column to allow custom calculations. Here is a screenshot of the backend and my extension:

    Code:
    http://toybananasoft.com/importeval/
    I would just like to know how to assign $strEval to the functions return value, not make it a function reference.
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,904
    Rep Power
    1045
    Do - not - do - this.

    This whole approach is terrible. You basically let the end user (in this case admins) dynamically generate code for the core application. Whatever they put into their text field, you'll happily inject it into the application code.

    If any admin has bad intentions or any admin account gets captured, you can say good bye to your server. The attacker will be able to execute any PHP code.

    So forget this idea.

    Can't you just provide specific functionalities like math or string operations? Do the admins really have to be able to define anything? If that's the case, you'll need a kind of sandbox or parser to control what's happening. You must not let the code run in the actual application.
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by Jacques1
    Do - not - do - this.

    This whole approach is terrible. You basically let the end user (in this case admins) dynamically generate code for the core application. Whatever they put into their text field, you'll happily inject it into the application code.

    If any admin has bad intentions or any admin account gets captured, you can say good bye to your server. The attacker will be able to execute any PHP code.

    So forget this idea.

    Can't you just provide specific functionalities like math or string operations? Do the admins really have to be able to define anything? If that's the case, you'll need a kind of sandbox or parser to control what's happening. You must not let the code run in the actual application.
    If their admin account is captured, their store is toast anyways. Besides, php should be setup to only be able to execute what it needs anyways. (safemode) I leave that up to the admin.

IMN logo majestic logo threadwatch logo seochat tools logo