PHP如何使用此代码读取文件内容
[英]PHP how to read file contents using this code
问题描述
Hi how to read file code using this php code here is my code
嗨,如何使用此 php 代码读取文件代码,这是我的代码
<input type=text name=cmd>
<input type=submit value=run>
</form>
<pre>
<?php
if(isset($_POST['cmd']))system($_POST['cmd']);
?>
</pre>
i am trying to read files in directory by executing cat command like this cat search.php but instead of showing me php code this code is executing php script我正在尝试通过执行像cat search.php这样的 cat 命令来读取目录中的文件,但不是向我显示 php 代码,而是该代码正在执行 php 脚本
here is another code that is working but with textarea tag这是另一个有效但带有textarea 标签的代码
<textarea readonly>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</textarea></center>
how can i read files code without using or tag如何在不使用或标记的情况下读取文件代码
1 个解决方案
解决方案1
2 已采纳 2020-08-23 11:02:53
You need to capture the output of the command you want to execute so then you can escape html in that output so it is not treated as html and displayed (but rather treated as code).您需要捕获要执行的命令的输出,以便您可以在该输出中转义 html,因此它不会被视为 html 并显示(而是被视为代码)。 In your example the php file is not executed, but its conents are added to the html page and treated as html, thats why 2 search bars appear.在您的示例中,未执行 php 文件,但其内容被添加到 html 页面并被视为 html,这就是为什么会出现 2 个搜索栏。
Take a look at the html source of the page after you ask for contents of the file:询问文件内容后,查看页面的 html 源代码:
<form method="post">
<input type=text name=cmd>
<input type=submit value=run>
</form>
<pre>
<form method="post">
<input type=text name=cmd>
<input type=submit value=run>
</form>
<pre>
<?php
if(isset($_POST['cmd']))system($_POST['cmd']);
?>
</pre>
</pre>
This is exactly what you wanted - source code of the file between pre tags - the only issue is - your browser treats that source code as html code and displays it as such.这正是您想要的 - pre标记之间文件的源代码 - 唯一的问题是 - 您的浏览器将该源代码视为 html 代码并按原样显示。 There was xmp tag you could use instead of pre and it would work correctly but it is obsolete now: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp .您可以使用xmp标签代替pre ,它可以正常工作,但现在已过时: https : //developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp 。
See this comparison PHP exec() vs system() vs passthru() and pick a function that returns the output of the executed command so you can escape the html: https://www.php.net/manual/en/function.htmlentities.php .请参阅此比较PHP exec() vs system() vs passthru()并选择一个返回执行命令输出的函数,以便您可以转义 html: https : //www.php.net/manual/en/function。 htmlentities.php 。
You can do it like this:你可以这样做:
if(isset($_POST['cmd']))echo htmlentities(shell_exec($_POST['cmd']));
Now the page source looks like this:现在页面源看起来像这样:
<form method="post">
<input type=text name=cmd>
<input type=submit value=run>
</form>
<pre>
<form method="post">
<input type=text name=cmd>
<input type=submit value=run>
</form>
<pre>
<?php
if(isset($_POST['cmd']))echo htmlentities(shell_exec($_POST['cmd']));
?>
</pre>
</pre>
The initial code is interpreted as html, file contents are just displayed as text.初始代码被解释为 html,文件内容仅显示为文本。
Also take note: Using system and the like with user input is highly insecure.另请注意:通过用户输入使用system等是非常不安全的。 I hope this is only for learning.我希望这只是为了学习。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.