Newest Visitor Badge Earned!
Click to create an account and start competing today!
After Hours Programming
Show Tutorials


You (Level 0)
0/25
Last Badge Earned
Newest Visitor

PHP Notepad

The PHP Notepad is still currently under development. It probably still has some vulnerabilities, but I am working to resolve them. The finalized version is coming soon, but feel free to use it! I would like to thank everyone for testing this beta version, especially the reddit PHP community.

The PHP Notepad executes your PHP code online.

It is true that certain PHP functions have been restricted on the PHP Notepad. Ok, many functions have been restricted as PHP has a few thousand functions. The most useful functions are enabled, but the functions you could use to take down this website are not, but hopefully, you did not want to hack my site anyway. If you want to do file manipulation, printing server variables, etc., you will probably need to open your own offline editor.

Have you ever wanted to try to execute some PHP code really quick? It is very annoying to open a text editor, write the code, upload the file, and then navigate to its address. That is a lot of steps just to see your PHP code. Why not test your php code right here in the PHP Notepad?


The PHP Notepad can take 3 types of input:

Example 1 echo 'The output of your code will be displayed here!'; // initially assumes it is PHP
Example 2 <?php echo 'The output of your code will be displayed here!'; ?>
Example 3 <h1><?php echo 'The output of your code will be displayed here!'; ?></h1>

However, the PHP Notepad will not let you use PHP codes inside HTML without PHP tags. This is because how can you determine PHP inside HTML without PHP tags? You can't. Therefore, it will display as regular HTML.

Problems with the PHP Notepad?

The PHP Notepad is in beta testing, but is slowly moving into production. If you find any issues with the PHP Notepad or cannot figure out how to use it, please use the comments form below to tell me about any issues. Don't hesitate; I really want to make it better and help you learn! Of course, you can also send suggestions on how to improve how you can test your PHP code. The PHP Notepad is only for practice and quick executions.




If you enjoyed this resource, support me by sharing this page with others.

Stumbleupon Facebook Twitter GooglePlus Reddit Delicious Digg


Comment or Suggestion?

Comments are a way to tell me about corrections or suggestions, what you thought about the resource, or providing additional information. Help feed the discussion!


Yes




Comments

user
jagger
September 18, 2014 12:13AM
how do you code


user
Finley Siebert
August 18, 2014 06:08PM
Can you please update to the latest PHP version.


user
shiva
July 31, 2014 01:26AM
fantastic! it is one of the beautiful tutorial site ever seen


user
PatrickAchuo
75
July 23, 2014 02:30PM
You are doing an awesome job, I feeling pretty confident about getting my head into programming


user
inam ullah maan
June 26, 2014 09:51PM
Keep up the good work app was very usefull. its a great tool.a very great tool for PHP learner,


user
manoj
June 3, 2014 04:05AM
Comments are a way to tell me about corrections or suggestions, what you thought about the resource, or providing additional information. Help feed the discussion!


user
James Friedman
March 24, 2014 02:54AM
An access key to the submit Test Code input would be useful.


user
Tim Berneman
March 19, 2014 06:26AM
Some spelling/syntax errors on your site.

The last sentence on the 3rd paragraph reads:
  Why not use test your php code right here in the PHP Notepad?
It should be:
  Why not test your php code right here in the PHP Notepad?

I tried this command:
  echo $_SERVER['DOCUMENT_ROOT'];

Got this response with 2 syntax errors:
  Permission denied to use those functions. I cannot allow functions, like file operations, to control my server. Sadly, some people would abuse it.The following functions or keywords where denied.

Spelling/Syntax errors:
  Should be a space after the period in "abuse it.The"
  Should be "were denied" and not "where denied"

Also, I used the name "Tim" and hit Post where it told me my name was too short but it did not carry over this comment/suggestion field so I would have lost it but I hit my browser Back button and luckily it was still there.


user
jakie
March 6, 2014 06:08PM
hi i help keyborad for students kid adult and children.  


user
karthikeyan
February 5, 2014 04:07AM
Keep up the good work app was very usefull


user
Adeola Poroye
February 3, 2014 01:38AM
Yeah its a great tool!


user
Henry
December 22, 2013 02:06AM
Great! This is a very great tool for PHP learner!


user
John Deere Gallego
November 11, 2013 06:06PM
great tool for newbies like. i recommend it!


user
david sals
November 1, 2013 01:30PM
I'm on Mac Chrome, Version 30.0.1599.101. This looks really interesting, but I can't figure out how to use it. There are no submit buttons anywhere that I can see. There's a line under the input textarea that says "Executing..." but it doesn't change.  Did I catch you in the middle of an update?

Also, I don't want to rate it as bad, but as it's entirely broken for me, that seems like the most appropriate. I just did Average to give you the benefit of the doubt. I would make the rating optional in the comments.


user
Search SA
October 14, 2013 09:47AM
This is a very handy tool - cant wait until its fully completed


user
Jacob JJay
25
October 11, 2013 10:40AM
Super tool for newbies :) i recommend it


user
Saurabh Tyagi
500
September 30, 2013 04:45AM
I don't know more about php so i think i can learn php by using this tool. Lets see how useful it will be.


user
Chi Young
August 9, 2013 07:42PM
I'm just learning PHP and this is a good tool practice with:0) Great stuff!! Will this work offline on Chromebook?  I'm using a laptop now, I do also have Google Chromebook.. still working with it also.


user
CHARLIE GUPTA
50
May 5, 2013 02:49AM
very abstract tutuorial


user
Elijah Horton
March 7, 2013 08:20AM
Hey Jared,

This is a neat resource you're trying to put together, but your struggle with securing the code passed to your server will be ongoing if you're trying to lock down PHP's global scope.

Might I suggest trying out my BSD-licensed PHPSandbox class and see if it helps?

https://github.com/fieryprophet/php-sandbox

Rolisoft is correct in that it is a PHP-userland code, and I make no claims it is 100% impossible to break out of, but I feel very confident it will be a vast improvement, particularly since it allows the use of whitelists (e.g. you can give it a list of functions to allow, rather than relying on a list to block) and you can have the sandbox rewrite functions and classes so they use your own versions of them. However, Rolisoft is incorrect in stating that it is vulnerable to the particular attack vector he listed, as it would require you allowing the _ function, allowing closures, and that when PHPSandbox checks the alphanumeric code it doesn't read it as evaluating to a blacklisted function (yes, it checks variable functions!)

It also contains a toolkit in which you can experiment (from the safety of your local dev environment only!) with all of the sandbox settings to figure out which options will be best for you without requiring you to write a million code snippets.

Hope it helps.


user
Jared Drake
1525
February 28, 2013 10:22AM
@RoliSoft. Thanks again. I swear I had file_get_contents on the ban list... Guess not. Those have all been fixed as well. Also, this file is "sandboxed" on another server. So, any impact the vulnerability has will not affect afterhoursprogramming.com


user
RoliSoft
February 28, 2013 10:01AM
I would like to recommend that you take a different route than using regex to find functions and ban them. You banned base64_decode, but there are a myriad ways to do something in a programming language.
For example #1:

$f = str_rot13('svyr_trg_pbagragf');
print $f('php-notepad-regex.php');

Take #2:

$f = str_replace('ph', 'f', 'phile_get_contents');
print $f('php-notepad-regex.php');

Sure, you could go ahead and ban str_replace and str_rot13, but what would you about this:

$f = 'xile_fet_montents';
for($i = 0; $i < 14; $i++){
	switch($f[$i]){
		case 'x': $f[$i] = 'f'; break;
		case 'f': $f[$i] = 'g'; break;
		case 'm': $f[$i] = 'c'; break;
	}
}
print $f('php-notepad-regex.php');

Ban foreach and switch?

What I recommend you use instead is some kind of sandboxing that is a bit more advanced than regular expressions.

1) Either try to assign a custom php.ini to the php-notepad folder and disable "file_get_contents" in there. That way you can re-enable chr(), base64_decode() etc harmless functions, since even if I put "file_get_contents" into $f and call it, PHP will quit with a security error.

2) You can look into the "runkit" extension for PHP, which is essentially a PHP VM and does exactly sandboxing. You can even replace built-in functions with your own, etc. http://www.php.net/manual/en/book.runkit.php

3) Do what other online universal code runners do, and create a folder outside of the wwwroot, cd into it, run the whole php binary with the code sample as a parameter and chroot the php process to the temporary dir you created. Kill it after 2 seconds or if it goes over x% CPU usage, then delete the temporary folder.

4) If you are unable to install PHP extensions (eg. host won't let you) then look into PHP-based solutions for sandboxing code: https://github.com/fieryprophet/php-sandbox (However, this is still PHP-based PHP sandboxing, so it is exploitable. It is vulnerable to this: http://www.thespanner.co.uk/2011/09/22/non-alphanumeric-code-in-php/ )

Feel free to remove my comment or edit out the codes, as they demonstrate a vulnerability on your production server.


user
Jared Drake
1525
February 27, 2013 10:03AM
@RoliSoft Thank you sir. Those issues should be fixed, I don't know why I forgot to block those. I am sure there are a few more that I missed... :(


user
RoliSoft
February 27, 2013 10:01AM
Hey, the script is great.

I don't want to be "that guy", but it's really easy to bypass your *file* restriction.

// to list files (you can do ../ and so on)
print_r(scandir('.'));

// to bypass your security and open file
$f = base64_decode('ZmlsZV9nZXRfY29udGVudHM=');
echo '<pre>'.htmlspecialchars($f('php-notepad-regex.php')).'</pre>';