php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52984 PHP executing text from .php file opened with fopen().
Submitted: 2010-10-04 12:39 UTC Modified: 2010-10-04 13:54 UTC
From: craig at logicshock dot co dot uk Assigned:
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: Irrelevant OS: Ubuntu 8.10/9.04, Windows 7 x86
Private report: No CVE-ID: None
View Developer Edit
 [2010-10-04 12:39 UTC] craig at logicshock dot co dot uk 
Description:
------------
While trying to use a PHP script to read the contents of another .php file using 
fopen(), it appears that PHP might be executing/skipping/altering the text as PHP 
code instead of treating it as plain text.

The result is nothing like as would be expected as shown below, the result is 
missing lots of text. 2 versions of PHP have been tried 5.3.1 and 5.3.3 on Windows 
Vista and 7 both x86 and on two versions of Ubuntu server 8.10 & 9.04, the result 
is the same across all testbeds. 

Tried using fgets, fread and file_get_contents, all display the same result.

This error was reproduced and verified by a colleague.

Test script:
---------------
Calling script (index.php):
ls_execute();
function ls_execute()
{
	$fp = fopen('code.php', 'r') or die('Cannot open that source resource');
	while(!feof($fp))
		$data .= fread($fp,128);
	fclose($fp);
	return  $data;
}

The file to be read (code.php):
<?php

	echo " This is a test!";
 
?>

Expected result:
----------------
<?php

	echo " This is a test!";
 
?>

Actual result:
--------------
"; ?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-04 12:40 UTC] craig at logicshock dot co dot uk 
The text:
Calling script (index.php):
ls_execute(); 

Should read:
Calling script (index.php):
echo ls_execute();
 [2010-10-04 12:45 UTC] pajoye@php.net
-Status: Open +Status: Bogus
 [2010-10-04 12:45 UTC] pajoye@php.net 
Works just fine here, 5.2/5.3, obviously.

Also adding an echo should help to output the data.

Double check your actual code, there is certainly an error in it.
 [2010-10-04 12:53 UTC] craig at logicshock dot co dot uk 
The actual code is shown here, am I missing a mistake here then? 
The original code was a lot bigger but I broke it down to the code shown below to 
help isolate the problem. I had a colleague look too, he also couldn't see 
anything wrong, still I will check the code again just in case my last 12 months 
of forced ASP.net has made me overlook something.

There was an echo added, I forgot to show that in the first post here, so added it 
as an edit, shown below.
 [2010-10-04 13:25 UTC] craig at logicshock dot co dot uk 
As an update, I altered the code.php file to see if the contents made a difference. 
The changed file is:


// This is a test comment, doesnt matter that it is not in the php tags because this 
// file SHOULD NEVER BE EXECUTED!
<?php

	echo " This is a test<?php ?>";
 
?>

Now, the resulting output should be that exact text as the reading script is only reading the text, not executing it. However the result is instead:

// This is a test comment, doesnt matter that it is not in the php tags because this // file SHOULD NEVER BE EXECUTED! "; ?>

There is something wrong here, because it is reading parts and not others....  To be sure I tried it on my Windows machine (PHP 5.3.1) , and again on two of my Linux servers (PHP 5.2.6 & 
5.3.3), the result is the same on all three.

I still cannot see any coding error. Surely this is a bug?
 [2010-10-04 13:52 UTC] craig at logicshock dot co dot uk 
Another update, in the source file that is read using fopen, if I change the <?php 
to < ?php the function works as expected, so, somewhere along the line PHP is 
finding the <?php in the text and is recognising it as PHP code where it should 
only be treating it as plain text. 

Also, changing the file extension make no difference
 [2010-10-04 13:53 UTC] pajoye@php.net
-Status: Bogus +Status: Feedback
 [2010-10-04 13:53 UTC] pajoye@php.net 
Please paste the exact scripts you are using to test. There is no bug like or we would have hundred of bugs reports about it already. And it works just fine here (BSD, windows, linux), iirc.
 [2010-10-04 13:54 UTC] pajoye@php.net
-Status: Feedback +Status: Bogus
 [2010-10-04 13:54 UTC] pajoye@php.net 
Ah :)

Just reading again your report. You are calling the script from a webserver right? Via your browser? Then show the source of the page, that should give you the answer.
 [2010-10-04 14:07 UTC] craig at logicshock dot co dot uk 
Ok, the browser result is:
<html><body> 
// This is a test comment, doesnt matter that it is not in the php tags because 
this 
// file SHOULD NEVER BE EXECUTED!
";
 
?>
</body></html> 

It shows that the browser is only getting 'part' of the text as a response.

And the complete test code is:

<?php
	
	echo ls_execute();
	
	function ls_execute()
	{
		$fp = fopen('code.php', 'r') or die('Cannot open that source 
resource');
		while(!feof($fp))
		{
			$data .= fread($fp,128);
		}
		fclose($fp);
		return  $data;
	}
?>
 [2010-10-04 14:18 UTC] craig at logicshock dot co dot uk 
Ok, it is not a PHP bug!

I had been trying it in Chrome, total failure everytime, so I thought I'd try it 
in IE and FF... the result:

<html><body>
// This is a test comment, doesnt matter that it is not in the php tags because 
this 
// file SHOULD NEVER BE EXECUTED!
<?php
 
	echo " This is a test<?php ?>";
 
?>
</body></html>

The moral of the story is.. avoid Chrome!

Thanks for your time here, I'm going to pester the Google Chrome bug people now.
 [2010-10-05 11:43 UTC] bugs dot php at luden dot se 
The problem is probably that the browser tries to
interpret the "<?php ... >" part as some kind of
HTML element. Either deliver the code as valid HTML
or as "text/plain".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 13:01:31 2024 UTC