View My PHP Source Code in a Browser Via a Button

View my PHP source code in a browser via a button

There are many problems with this code. Let me provide a solution, and then explain the issues and some words of caution.

1   <?php
2   
3       $requested_file = $_GET["requested_file"];
4   
5       if ($requested_file == "1") {
6           $filepath == "/path/to/file/mainClient.php"
7       } elseif ($requested_file == "2") {
8           $filepath == "/path/to/file/secondaryClient.php"
9       } 
10      
11      if (isset($filepath)) {
12          $output = highlight_file($filepath, TRUE);
13      }
14    
15   ?>
16  
17   <a href="http://example.com/?requested_file=1" class="btn" >View source for 'Main Client' file</a>
18   <a href="http://example.com/?requested_file=2" class="btn" >View source for 'Secondary Client' file</a>

PROBLEM #1: THE BUTTON

Your anchor tag is lacking an href, so it doesn't do anything. You see on line 17 that I added an href that will send a request to the server to fetch this page: example.com/. Notice the ?requested_file=1 key/value pair in the URL? This is how the $_GET array is populated. The "key" is requested_file and the "value" is 1

I added a second button on line 18 for illustrative purposes.

PROBLEM #2: $_GET AND SECURITY

In your example, you were trying to load the file name/path through the $_GET superglobal. This is extremely dangerous. Further, it doesn't appear that you fully understand how $_GET works - the parameter 'mainClient.php' inside `$_GET['mainClient.php'] identifies the "key" and not the "value". The value is sent by the user through the URL.

The $_GET superglobal is used for retrieving user-generated input from the URL string, in the form of a key/value pair. Because the user has full access to edit the URL sent to the server (and because it is visible), it presents significant security vulnerabilities if not used carefully.

Consider the case where the user types in the URL http://example.com/?mainClient.php=db-config.php. In this case, your code will fire and the file all-my-secrets.php will be revealed in all it's glory. That could be a very bad day for you.

In general it is very dangerous to use $_GET for anything other than signaling user actions from a list of pre-defined options. Allowing users to pass unsanitized data directly to your application is fraught with all kinds of risks, such as SQL-Injection, XSS attacks and more. Typically, $_GET is used safely for things like navigation, search terms, pre-defined actions, etc.

In my solution, I compare the $_GET request against a list of pre-defined numeric values (lines 5-9). If the $_GET['requested_file'] key has a value that matches one of my pre-defined numeric choices, then and only then can the file's content sent back to the browser. So, no matter what the user sends in the URL, they can't get anything other than the two files I have pre-determined to be safe to share. Notice also that the user doesn't have any clue what my file path looks like and I don't even have to reveal the file's name if I don't want to. Revealing that kind of information exposes me even more.

PROBLEM #3: EMPTY VARIABLES

The error "highlight_file(): Filename cannot be empty" is because your $file variable was empty when the URL did not specify a key/value pair for $_GET.

I have used the php isset() function on line 11 to prevent the call to highlight_file() if $filepath doesn't have anything assigned to it.

FYI - You were also having problems with your button text since it uses the same $file variable assigned by $_GET. This is unnecessary, so I hard coded the text I wanted to use with my button.

View the source code clicking a button

If I understand you correctly, then use could use a highlight_file() or highlight_string()

<?php
if(isset($_POST['view_source'])) {
    highlight_file($_SERVER['PHP_SELF']); // For the entire file
    $code = "Your intended code here";
    highlight_string($code); // For the intended code
}
?><form method='post'>
    <input type='submit' name='view_source' value='View Source' />
</form>

How can I view PHP source code on a live site?

No, as it is interpreted on the server-side and the results are sent to the user. If you want to view the source code of a site you control in-browser, consider the FirePHP extension for Firebug, or just access your site files with your preferred method.

.php file shows code in Chrome

To display PHP on your computer you need to have a local PHP server set up. Without it there is no PHP engine that can interpret and parse your code to make it in to HTML for the browser.

If you haven't got a PHP server installed locally, then you will need to upload your files to a server via FTP, where PHP is installed.

HTML form submit button displays code instead of executing it

PHP (in this context) is a server-side programming language.

You tagged this xampp but you aren't using it. Your URL (in the screenshot) starts with file://.

You need to load the HTML document by accessing it through your web server (by typing http://etc in the address bar and not by double clicking the HTML file in Windows Explorer.

How do I get the HTML code of a web page in PHP?

If your PHP server allows url fopen wrappers then the simplest way is:

$html = file_get_contents('https://stackoverflow.com/questions/ask');

If you need more control then you should look at the cURL functions:

$c = curl_init('https://stackoverflow.com/questions/ask');
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
//curl_setopt(... other options you want...)

$html = curl_exec($c);

if (curl_error($c))
    die(curl_error($c));

// Get the status code
$status = curl_getinfo($c, CURLINFO_HTTP_CODE);

curl_close($c);

How to apply a php function with a button

If you want to do this in PHP, then you have your button submit a form and the PHP script it points to does the work.

<form action="writefile.php" method="post">
<input type="submit" value="Continue" />
</form>

-

<?php
//writefile.php
file_put_contents("testFile.html", "Hello\nWorld!\n");
?>

That script can redirect back to the form if you want:

<?php
//writefile.php
file_put_contents("testFile.html", "Hello\nWorld!\n");
header("Location: yourpage.php");
?>

How to write the code for the back button?

<button onclick="history.go(-1);">Back </button>

---

Related Topics