| Author |
Message |
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm
Joined: Aug 13, 2009
Posts: 1122
|
 Posted:
Tue Sep 17, 2013 3:57 am |
|
Guys!
I noticed some themes have these changes
Code:// $thefile = "\$r_file=\"".$thefile."\";";
|
It's been changed with
Code:$thefile = '$r_file="'."$thefile".'";';
|
I wonder why I can not change it for this one
Code:$thefile = '$r_file = \'' . $thefile . '\';';
|
Can anyone explain to me if there is another alternative to get rid of double quotes.
 |
Last edited by hicuxunicorniobestbuildpc on Sun Sep 22, 2013 4:28 am; edited 1 time in total |
|
|
|
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA
|
| Posted:
Tue Sep 17, 2013 4:41 am |
|
That looks like one of the older theme functions that still uses eval.
"The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged."
I believe fisubice still uses this method, not sure if any others do. Needs to be updated, as it should be using something other than eval. Personally I would remove the included html files and write the html within the functions. If you have to have some sort of template within your theme, take a look at mustache [ Only registered users can see links on this board! Get registered or login! ]
so in short, that code needs more that conversion to single quotes. |
| |
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Tue Sep 17, 2013 7:43 am |
|
I tried this one
Code:function themesidebox($title, $content) {
$tmpl_file = 'themes/Dolphins/blocks.html';
$thefile = implode('', file($tmpl_file));
$thefile = addslashes($thefile);
// $thefile = "\$r_file=\"".$thefile."\";";
$thefile = '$r_file ="' . $thefile . '";';
// $thefile = '$r_file="'."$thefile".'";';
eval($thefile);
print $r_file;
}
|
and it is working properly. So what is the solution spastic? |
| |
|
|
|
|
neralex
Site Admin
Joined: Aug 22, 2007
Posts: 1772
|
| Posted:
Tue Sep 17, 2013 8:00 am |
|
| hicuxunicorniobestbuildpc wrote: | | So what is the solution spastic? |
The solution is:
| spasticdonkey wrote: | | I would remove the included html files and write the html within the functions. |
|
_________________
Github: RavenNuke |
|
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Tue Sep 17, 2013 8:28 am |
|
neralex, please stay away. I didn't ask you a question. I asked spastic what could be the solution to improve the code. I am getting a little bit irritated by you all the time trying to mess around.
Spastic, thanks for the link. I understood the code should be converted to a better safe method. Can you give me an example from the code I posted. thanks in advance. |
| |
|
|
|
|
neralex
|
| Posted:
Tue Sep 17, 2013 9:42 am |
|
Pff lol - I don't stay away, because this is an open forum and this is simply the best solution, what spasticdonkey has posted. Not more! If you are a little bit irritated - sorry that is only your problem and if you want write only with one person - write a e-mail instead to use a forum like this. 
I have all my own themes based on this simply way instead to use this outdated and dangerous code. You have in the RN25x download package exactly 5 detailed examples. Maybe you should really start to learn PHP instead to attack other people. |
| |
|
|
|
|
spasticdonkey
|
| Posted:
Tue Sep 17, 2013 3:55 pm |
|
this should work.
eval ('$r_file = "' . $thefile . '"');
don't worry that there are still some double quotes in there. it is still a single quoted string |
| |
|
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Tue Sep 17, 2013 4:06 pm |
|
Thanks spastic but I get an error.
Parse error: syntax error, unexpected 'style' (T_STRING) in |
| |
|
|
|
|
spasticdonkey
|
| Posted:
Tue Sep 17, 2013 4:18 pm |
|
yeah looks like I didn't look at it close enough. I would just follow what was done in fisubice if you are sticking with eval |
| |
|
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Tue Sep 17, 2013 4:22 pm |
|
This is from fisubice
Code:function themesidebox($title, $content) {
$tmpl_file = 'themes/fisubice/blocks.html';
$thefile = implode('', file($tmpl_file));
$thefile = addslashes($thefile);
// $thefile = "\$r_file=\"".$thefile."\";";
$thefile = '$r_file="'."$thefile".'";';
eval($thefile);
print $r_file;
}
|
Note: That is why I bring this up. I don't understand this line
Code:$thefile = '$r_file="'."$thefile".'";';
|
Why using double quotes here like this
This is what I did and it worked good.
Code:function themesidebox($title, $content) {
$tmpl_file = 'themes/Dolphins/blocks.html';
$thefile = implode('', file($tmpl_file));
$thefile = addslashes($thefile);
// $thefile = "\$r_file=\"".$thefile."\";";
$thefile = '$r_file ="' . $thefile . '";';
// $thefile = '$r_file="'."$thefile".'";';
// eval ('$r_file = "' . $thefile . '"');
// eval ('$r_file = "' . $thefile . '"');
eval($thefile);
print $r_file;
}
|
|
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sat Sep 21, 2013 9:48 am |
|
hicuxunicorniobestbuildpc, I do not recall the exact reasons but it was related to stopping a specific type of exploit with the use of eval(). You will not see us using eval() on any of our newer themes due to the inherent security risks. Personally, I see no value in changing that original code even though I can no longer remember the details enough to explain why its best.
Bottom line: eval() should never be used. It remains in this old theme because the theme hasn't been touched in many, many years and still works. When we move to RavenCMS(tm) 1.0 (being worked on now), it will most likely be released with all new themes given the theming system has been completely revamped. |
_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
|
wHiTeHaT
Life Cycles Becoming CPU Cycles
Joined: Jul 18, 2004
Posts: 579
|
| Posted:
Sun Sep 22, 2013 2:40 am |
|
theres in this case no problem using the eval function.
No user details are being passed in calling eval.It is a simple placeholder.
So my opinion it is safe to use.
If you not agree , please clarify why it isnt.
Before you attempt:
[ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
montego
|
| Posted:
Sun Sep 22, 2013 9:38 am |
|
wHiTeHaT, I agree with the article and I also agree that if you are using a more recent version of RavenNuke(tm), then it is not an issue. If one were to be using an older *nuke, however, which also does not have CSRF protection, it could pose a risk - one would have to be quite sophisticated, however, to exploit.
Because you never know what kind of skill sets folks have with PHP, sometimes I believe it is better to discourage the use of certain functions. JMO. One can get into serious world of hurt using eval() if they are not careful. My apologies for tending to be more on the cautious side. |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Mon Sep 23, 2013 6:47 am |
|
Or you could just "include" the file - you may need to change the file extension from html to php though if the is php code in the block file. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
