php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #65203 Please add a feature to report potentially dangerous code examples in comments
Submitted: 2013-07-04 12:58 UTC Modified: 2016-05-29 04:44 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ryan at rmauger dot co dot uk Assigned: googleguy (profile)
Status: Wont fix Package: Website problem
PHP Version: Irrelevant OS: n/a
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-07-04 12:58 UTC] ryan at rmauger dot co dot uk 
Description:
------------
Please allow us to report potentially dangerous or irresponsible code examples 
from the comments, such as the one below, they do nothing for the reputation of 
PHP, and could end up making their way into production servers of people still 
learning their way in PHP.

Test script:
---------------
After trying extensively to make exec() work with various windows apache mysql php servers i found one that works flawlessly called ampps, and wrote this script that lets you run command prompt commands from a browser. You can essentially run ipconfig, ping, tasklist or any command you normally would sitting in front of your computer running command prompt (cmd).

Im running this on a windows 7 32 box using Softaculous AMPPS

<form action="" method="post">
<textarea name="code" cols="50" rows="10"></textarea><br>
<input type="submit" name="submit" value="Execute">
</form>

<?php

if (isset($_POST['submit'])){

$code = $_POST['code'];
    exec("$code", $output);
    
echo '<pre>';
print_r($output);

echo '</pre>';
    
}

?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-09 14:44 UTC] josh at servebyte dot com 
Agreed. Even finding replies to comments is challenging. Replies to comments should be under the related comment.
 [2013-07-09 17:24 UTC] danbrown@php.net
-Status: Open +Status: Feedback
 [2013-07-09 17:24 UTC] danbrown@php.net 
It appears that someone else already removed the mentioned user note, but as for 
"comments" being threaded, note that it says, in very large, bold text, that 
those types of contributions do not belong on the site.
 [2013-07-09 17:55 UTC] ryan at rmauger dot co dot uk
-Status: Feedback +Status: Open
 [2013-07-09 17:55 UTC] ryan at rmauger dot co dot uk 
This response seems to miss the point, yes that comment may have been removed, but 
the fact remains that there is no way for people to highlight other new ones, 
besides reporting here,
Given the difference in effort between simply clicking a button to push a comment 
into a moderation queue, and to fill out a report here, it is clear which would be 
a more successful mechanism.
 [2013-07-09 18:21 UTC] danbrown@php.net
-Status: Open +Status: Feedback
 [2013-07-09 18:21 UTC] danbrown@php.net 
No, it didn't miss the point, it was merely an update, Ryan.  Otherwise I'd have 
closed the report.
 [2013-07-09 18:22 UTC] ryan at rmauger dot co dot uk
-Status: Feedback +Status: Open
 [2013-07-09 18:22 UTC] ryan at rmauger dot co dot uk 
Apologies Dan, I misunderstood the significance of the status change to 'feedback'
 [2013-07-09 18:27 UTC] danbrown@php.net 
No apologies necessary.  I'm checking with one of the guys who has done 
substantial work on improving the notes system to see if he wants to take on the 
challenge.
 [2013-07-09 18:30 UTC] ryan at rmauger dot co dot uk 
Please mention that I am willing to collaborate if extra man-power is needed to 
help make it possible
 [2013-10-11 00:57 UTC] bjori@php.net
-Assigned To: +Assigned To: googleguy
 [2013-10-11 00:57 UTC] bjori@php.net 
Sherif, you want to have a look at "Report as spam"/"Report as unsafe" for user contributed comments?

Unsure if it is needed though, comments with negative votes should be removed...
 [2013-10-11 11:45 UTC] googleguy@php.net 
We wanted user contributed notes to be self moderating; as in, the community voting down those notes which did not appeal to the broader audience would ultimately lead to the note being pushed down to the bottom of the page where fewer users were likely to spot it immediately. On the flip side, notes, which the community at large, found to be of higher relevance/quality would get pushed up to the top where most people would see them. I can't say that this has worked out perfectly thus far, but it has made a slight impact on weeding out the contributions of lesser quality/relevance.

As always, good judgement and caution should be practiced when using any code found in the user contributed notes section of php.net as these notes are not generally moderated often enough. There isn't enough man power to moderate all of them and so we depend on people voting down the bad ones or reporting them here on bugs.php.net

I'm not sure what impact the report as spam functionality will have on removing those notes. Once again, the problem is limited man power paying attention to user contributed notes.

Ideally I would rather have everything become a lot more autonomous so that too many reports of spam or too many negative votes would ultimately remove the note and as such less moderation would be required.

The user contributed notes on php.net should be moderated directly by its community, in my own humble opinion. However, this is a lot easier said than done due to the inability to limit the abuse of such a system. These issues have been raised in the past and not everyone agrees on how this should be implemented.
 [2015-08-06 20:57 UTC] cmb@php.net 
> Given the difference in effort between simply clicking a button
> to push a comment into a moderation queue, and to fill out a
> report here, it is clear which would be a more successful
> mechanism.

I've quickly reviewed all new user contributed comments of the
last weeks, and there are definitely much more jesters active than
people who post really bad or even dangerous comments. I'm afraid
that offering the possibility to push a comment into a moderation
queue with a simple click would be misused too often, what would
take even more time for review.
 [2016-05-29 04:44 UTC] googleguy@php.net
-Status: Assigned +Status: Wont fix
 [2016-05-29 04:44 UTC] googleguy@php.net 
I agree that adding this feature likely will not improve the moderation of user contributed notes. I'm going to rely on the crowd-sourcing of votes to downgrade and potentially remove unwanted user contributions as it seems to be more effective in practice.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 12:01:29 2024 UTC