How to Show PHP code in Color

PHP provides a nice function called show_source(). Its format is as follows:

bool show_source($file);

It takes a single argument, the path to the filename to display, and the returns TRUE on success or FALSE on failure.

Using this Function

The simplest way to use the show_source() function is as follows:

show_source("code_file.txt");

This would format the file code_file.txt and output it to the browser in a nice format.

Security and an Advanced Use of show_source()

Since it outputs to the browser the complete source code, there are clear security risks, including a person trying to view sensitive files on the server or failing that, you store passwords in your PHP scripts. So be careful!

Now we will build a simple script that you can use to output the source of any page on your site. We will try to add some security checks. If you know of more security checks that could be added, please email them to me. Thanks!

The Security Checks

First, we will want the script to check that HTTP_REFERER variable contains a certain string. This string will be our server's URL, or if you are on a shared server, the full URL to your homepage. For example, for eKstreme.com, this string will be the first line of code. If you are on a shared server, it could be something like the second line of code:

$sitesubstring = "www.ekstreme.com";
$sitesubstring = "www.ekstreme.com/~mypage";

Next we check that the HTTP_REFERER really does contain this string, and if not, tell the user:

if(!stristr(getenv("HTTP_REFERER"),$sitesubstring)){

   echo "Quit messing around!!";
   exit;
}

The second security layer comes later on.

The Acutal Output

Now we check that the $filename variable is not empty, and if not, then try to display it:

if(strlen($filename)>0){
   $filename = $DOCUMENT_ROOT . $filename;
   if (ereg("(\.php)$",$filename) && !ereg("\/\.\.", $filename)){
      show_source("$filename");
      }
   else{
      echo "\nOoops - error somewhere!";
      }
   exit;
   }
else{
   echo "Please specify a file!";
   exit;
   }

We try to add more security as follows:

  • We tack the $DOCUMENT_ROOT variable to the begining of the $filename variable. This narrows down the search to the file present in your account's HTML root.
  • Second, we allow parsing of a file only if its extension is .php.
  • Thirdly, we make sure that the $filename does not contain and '/..' strings, which would change the search directory.

This combination should make sure that you have some decent security. (Note: Keep your eye on http://www.php.net/manual/en/function.show-source.php for comments about security.)

You can find the finished script here. [And in case you are wondering, I do not have any scripts on eKstreme.com that use the show_source() function :)...]

How to Use the Script

Now that we have designed the script, we use it by adding the following code to any PHP page:

echo "<p><a href=\"/showsource.php?filename=". $HTTP_SERVER_VARS['SCRIPT_NAME']. "\">Show Source</a></p>";

Where the script is called showsource.php.

Leave a Reply

You must be logged in to post a comment.

 

Site Navigation

Popular Pages

The most popular pages on eKstreme.com.

Search

Subscribe

Subscribe to RSS 2.0 feed

Community

 
thermodelly