php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53298 // $msg_text = '?>...';
Submitted: 2010-11-12 12:08 UTC Modified: 2010-11-18 20:31 UTC
From: jost dot boekemeier at googlemail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.14 OS: any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jost dot boekemeier at googlemail dot com
New email:
PHP Version: OS:

 

 [2010-11-12 12:08 UTC] jost dot boekemeier at googlemail dot com
Description:
------------
PHP Parser doesn't handle comments as such

<?php
echo 1+2;
// $msg_text = '?>RCP_11/11/10_12:31:52_070%_E009.56.35,7_N53.32.39,6_003KM/H_278DEG_0M_2_4_0_1,6_00_0';
echo 1+2;

should print 33, and not print the script unevaluated.

Test script:
---------------
<?php
echo 1+2;
// $msg_text = '?>RCP_11/11/10_12:31:52_070%_E009.56.35,7_N53.32.39,6_003KM/H_278DEG_0M_2_4_0_1,6_00_0';
echo 1+2;


Expected result:
----------------
33

Actual result:
--------------
3RCP_11/11/10_12:31:52_070%_E009.56.35,7_N53.32.39,6_003KM/H_278DEG_0M_2_4_0_1,6_00_0';
echo 1+2;


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-12 12:19 UTC] jost dot boekemeier at googlemail dot com
-: jost_boekemeier@googlemail.com +: jost dot boekemeier at googlemail dot com
 [2010-11-12 12:19 UTC] jost dot boekemeier at googlemail dot com
corrected mail address
 [2010-11-12 20:39 UTC] bastard dot internets at gmail dot com
"?>" is meant to break out of PHP when encountered in a single-line comment (see http://www.php.net/manual/en/language.basic-syntax.comments.php).
 [2010-11-12 21:43 UTC] felipe@php.net
-Status: Open +Status: Bogus
 [2010-11-12 21:43 UTC] felipe@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php


 [2010-11-14 14:38 UTC] jost dot boekemeier at googlemail dot com
felipe@php.net, thank you very much for taking the time to comment my request, even though you haven't understood it.

1. commenting out a valid variable definition should not cause the PHP parser to *suddenly* parse the definition! 

2. this is completely unexpected, even after reading the documentation



Please either fix this bug. Change the PHP parser to handle 
   $var = "val<?ue";
and
// $var = "val<?ue";

equally: The parser should either stop at the <? or not. For example if you force the programmer to always write "val<"."?ue", the problem vanishes.

The current behaviour means that you can expose the contents of an existing PHP file (including database passwords) by commenting out a simple variable definition. -- Line-comments can be problematic, but it shouldn't have such a drastic effect that the script returns unevaluated. 


Or please clearly document this bug, so that programmers do not use //-style comments to comment-out variable definitions.
 [2010-11-18 03:41 UTC] bastard dot internets at gmail dot com
@jost dot boekemeier:  I'll preface this comment with "I'm just a regular PHP user, not a PHP org member".

Changing the // behavior would break the usage in in-line php, shown on the 2nd example on the doc page.  Something like the following would no longer work...

<p>This is a paragraph about <?php echo $subject; // important comment here ?>.</p>

Looks ugly here, but with any IDE, the color-coding makes it all pretty intelligible.  The doc page is pretty clear about this comment usage.  The workaround to comment out any entire block containing any "?>" symbol would be to use the /* */ symbols instead.  Of course this goes against convenience and habit, and as other users have noted, this breaks lines with */ appearing anywhere (ie. regex strings, nested comments, etc).  But fixing -those- problems would break things elsewhere, like in this example of sourcecode documentation...

function do_something(/* integer */ $some_int, /* string */ $some_str) {/* do something */}

This report seems more like a feature request.  I'd vote for something like skipping the in-comment PHP mode escape if the // symbol doesn't appear on a same line as any opening PHP tag.  Though I'm sure devs can think of a better solution.
 [2010-11-18 20:31 UTC] jost dot boekemeier at googlemail dot com
> @jost dot boekemeier:  I'll preface this comment with "I'm just a regular 
PHP user, not a PHP org member".

Then please do not comment other one`s bug reports.

This bug report is about a change in the php parser. It was working perfectly 
until someone changed it to not recognize ?> within strings. The bug is that 
he did not make the same change for strings in single line comments. There 
is nothing to discuss about. The person who made the change clearly wrote a 
bug.

Your comments about multi line comments and IDE are offtopic here. Please 
open a new support request for that. Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 11:01:30 2024 UTC