Newest Visitor Badge Earned!
Click to create an account and start competing today!
After Hours Programming
Tutorials
Show Tutorials

You (Level 0)
0/25
Last Badge Earned
Newest Visitor

PHP Notepad

The PHP Notepad is still currently under development. It probably still has some vulnerabilities, but I am working to resolve them. The finalized version is coming soon, but feel free to use it! I would like to thank everyone for testing this beta version, especially the reddit PHP community.

The PHP Notepad executes your PHP code online.

It is true that certain PHP functions have been restricted on the PHP Notepad. Ok, many functions have been restricted as PHP has a few thousand functions. The most useful functions are enabled, but the functions you could use to take down this website are not, but hopefully, you did not want to hack my site anyway. If you want to do file manipulation, printing server variables, etc., you will probably need to open your own offline editor.

Have you ever wanted to try to execute some PHP code really quick? It is very annoying to open a text editor, write the code, upload the file, and then navigate to its address. That is a lot of steps just to see your PHP code. Why not use test your php code right here in the PHP Notepad?

The PHP Notepad can take 3 types of input:

Example 1 echo 'The output of your code will be displayed here!'; // initially assumes it is PHP
Example 2 <?php echo 'The output of your code will be displayed here!'; ?>
Example 3 <h1><?php echo 'The output of your code will be displayed here!'; ?></h1>

However, the PHP Notepad will not let you use PHP codes inside HTML without PHP tags. This is because how can you determine PHP inside HTML without PHP tags? You can't. Therefore, it will display as regular HTML.

Problems with the PHP Notepad?

The PHP Notepad is in beta testing, but is slowly moving into production. If you find any issues with the PHP Notepad or cannot figure out how to use it, please use the comments form below to tell me about any issues. Don't hesitate; I really want to make it better and help you learn! Of course, you can also send suggestions on how to improve how you can test your PHP code. The PHP Notepad is only for practice and quick executions.





If you enjoyed this resource, support me by sharing this page with others.

Stumbleupon Facebook Twitter GooglePlus Reddit Delicious Digg

Comment or Suggestion?

Comments are a way to tell me about corrections or suggestions, what you thought about the resource, or providing additional information. Help feed the discussion!


Yes

Comments

user
CHARLIE GUPTA
50
May 5, 2013 02:49AM
very abstract tutuorial


user
Elijah Horton
March 7, 2013 08:20AM
Hey Jared,

This is a neat resource you're trying to put together, but your struggle with securing the code passed to your server will be ongoing if you're trying to lock down PHP's global scope.

Might I suggest trying out my BSD-licensed PHPSandbox class and see if it helps?

https://github.com/fieryprophet/php-sandbox

Rolisoft is correct in that it is a PHP-userland code, and I make no claims it is 100% impossible to break out of, but I feel very confident it will be a vast improvement, particularly since it allows the use of whitelists (e.g. you can give it a list of functions to allow, rather than relying on a list to block) and you can have the sandbox rewrite functions and classes so they use your own versions of them. However, Rolisoft is incorrect in stating that it is vulnerable to the particular attack vector he listed, as it would require you allowing the _ function, allowing closures, and that when PHPSandbox checks the alphanumeric code it doesn't read it as evaluating to a blacklisted function (yes, it checks variable functions!)

It also contains a toolkit in which you can experiment (from the safety of your local dev environment only!) with all of the sandbox settings to figure out which options will be best for you without requiring you to write a million code snippets.

Hope it helps.


user
Jared Drake
1525
February 28, 2013 10:22AM
@RoliSoft. Thanks again. I swear I had file_get_contents on the ban list... Guess not. Those have all been fixed as well. Also, this file is "sandboxed" on another server. So, any impact the vulnerability has will not affect afterhoursprogramming.com


user
RoliSoft
February 28, 2013 10:01AM
I would like to recommend that you take a different route than using regex to find functions and ban them. You banned base64_decode, but there are a myriad ways to do something in a programming language.
For example #1:

$f = str_rot13('svyr_trg_pbagragf');
print $f('php-notepad-regex.php');

Take #2:

$f = str_replace('ph', 'f', 'phile_get_contents');
print $f('php-notepad-regex.php');

Sure, you could go ahead and ban str_replace and str_rot13, but what would you about this:

$f = 'xile_fet_montents';
for($i = 0; $i < 14; $i++){
	switch($f[$i]){
		case 'x': $f[$i] = 'f'; break;
		case 'f': $f[$i] = 'g'; break;
		case 'm': $f[$i] = 'c'; break;
	}
}
print $f('php-notepad-regex.php');

Ban foreach and switch?

What I recommend you use instead is some kind of sandboxing that is a bit more advanced than regular expressions.

1) Either try to assign a custom php.ini to the php-notepad folder and disable "file_get_contents" in there. That way you can re-enable chr(), base64_decode() etc harmless functions, since even if I put "file_get_contents" into $f and call it, PHP will quit with a security error.

2) You can look into the "runkit" extension for PHP, which is essentially a PHP VM and does exactly sandboxing. You can even replace built-in functions with your own, etc. http://www.php.net/manual/en/book.runkit.php

3) Do what other online universal code runners do, and create a folder outside of the wwwroot, cd into it, run the whole php binary with the code sample as a parameter and chroot the php process to the temporary dir you created. Kill it after 2 seconds or if it goes over x% CPU usage, then delete the temporary folder.

4) If you are unable to install PHP extensions (eg. host won't let you) then look into PHP-based solutions for sandboxing code: https://github.com/fieryprophet/php-sandbox (However, this is still PHP-based PHP sandboxing, so it is exploitable. It is vulnerable to this: http://www.thespanner.co.uk/2011/09/22/non-alphanumeric-code-in-php/ )

Feel free to remove my comment or edit out the codes, as they demonstrate a vulnerability on your production server.


user
Jared Drake
1525
February 27, 2013 10:03AM
@RoliSoft Thank you sir. Those issues should be fixed, I don't know why I forgot to block those. I am sure there are a few more that I missed... :(


user
RoliSoft
February 27, 2013 10:01AM
Hey, the script is great.

I don't want to be "that guy", but it's really easy to bypass your *file* restriction.

// to list files (you can do ../ and so on)
print_r(scandir('.'));

// to bypass your security and open file
$f = base64_decode('ZmlsZV9nZXRfY29udGVudHM=');
echo '<pre>'.htmlspecialchars($f('php-notepad-regex.php')).'</pre>';





© 2013 AfterHoursProgramming.com