Login/Register
How to clear previously echoed items in PHP
Asked Answered
Solved phpoutputechooutput-buffering
F

5

61

In php, is there any way to clear/remove all previously echoed or printed items?

For example:

<?php

echo 'a';
print 'b';

// some statement that removes all printed/echoed items

echo 'c';

// the final output should be equal to 'c', not 'abc'

?>

My script uses the include function. The included files are not supposed to echo anything. Just in case someone (ex = hacker) tries, I need a way to remove.

Faires answered 29/6, 2009 at 12:15 Comment(2)
If you're doing it as a "security measure" you're probably doing it wrong. You should consider a different approach to the problem. Maybe create another question stating what your problem is?Cataplasm
I am using oci_execute, and if the query fails, it will echo <b>warning</b> message. But I am handling the error separately and don't want oracle message. So this question is applicable in this scenario alsoLandowner
G
121
<?php

ob_start();
echo 'a';
print 'b';

// some statement that removes all printed/echoed items
ob_end_clean();

echo 'c';

// the final output is equal to 'c', not 'abc'

?>

Output buffering functions

The output buffering functions are also useful in hackery to coerce functions that only print to return strings, ie.

<?php
ob_start();
var_dump($myVar);
$data = ob_get_clean();
// do whatever with $data
?>
Glynis answered 29/6, 2009 at 12:18 Comment(4)
Are there apache settings to enable/disable output buffering for multiple pages?Elfreda
You can also use ob_end_flush() to print out the statements that follow ob_start(), instead of discarding them. See us3.php.net/ob_startOch
@Matthew: helped a lot!Alburga
ob_start(); is not neededGastrovascular
H
4

while @monoxide is right, its better to find more intuitive ways of doing the same. e.g.:

<?php
$val_to_print = $a;
if( $need_to_change==true ) 
    $val_to_print = $b;
// when you are sure you won't have to change again...
echo $val_to_print;
?>

Cheers,

jrh

Hebe answered 29/6, 2009 at 12:21 Comment(4)
He's concerned about someone changing files on him that he doesn't control, so while you're right, you're not addressing what he's concerned about.Glynis
Also, sometimes people overlook EOL's at the end of include files, causing potential havoc if you need to send a header() later...Glynis
@monoxide At the risk of going completely off-topic, you can omit the last closing PHP tag at the end of a file which is a good way to eliminate that problem completely.Antipole
+1 for the EOF issue. This issue took me days a while ago to debug. And it was only through accident that I found it.Koester
S
1

Ideally, you shouldn't output anything that you don't ultimately want printed. Keep your logic separate from your presentation for less frustration.

That being said, you can consult the Output Buffering options within PHP.

Sic answered 29/6, 2009 at 12:21 Comment(0)
T
0

If it is debug output and program status information you are worried about maybe trigger_error may be nearer to what you need, such as:

trigger_error ("Attempting to load report #{$report_id}.", E_USER_NOTICE);

When your script is in production it wont show up any errors as generally they are disabled or logged. It's also best to do fatal errors this way with E_USER_ERROR rather than using die ().

ob_start ();
require ($filename);
$html = ob_get_clean ();

The above will also include a file and give you its contents as a string.

Caveat: Ditching the buffer will also ditch any error messages thrown up, making debugging (potentially) a nightmare.

Thalamencephalon answered 29/6, 2009 at 12:33 Comment(1)
Or, potentially much better if you use the $html you got from get_clean() and put it in the body of your page instead of screwing up the headers and positioning of most of your page.Glynis
R
-1

If a hacker let's say has access to your PHP file, he will also be able to remove the statement clearing the output buffer.

If you are doing this because you are letting your users upload PHP scripts, let me tell you that this is an extremely bad idea.

In both cases, doing what you are asking for adds 0 security.

Ratty answered 29/6, 2009 at 12:55 Comment(8)
I have an ajax function that delivers the file name/location of a file to be included to my php document. I'm using the parse_url function to disallow any values that are absolute paths (before the file is included). The included file is supposed to contain only any array. I wrapped the array in ob_start and ob_end_clean to remove any echoed content. Do you see any potential security issues with that?Faires
Plenty actually. It means your attacker can execute any given php file on your system. You are better of having one php file per array, and call up that file directly.Ratty
Thanks for the input. For the program to work, the user must be able to add his own array values. In addition to the above, I've also now required that the included file must contain a sub string. For example, the string must contain "bar". "foo.php" cannot be included. "foo_bar.php" can be included. So, as long as there are no other files in the system containing "foo", the program should be secure. Is this right? Thanks again for your help. Much appreciated.Faires
Let's see... "../bar/../../delete_all.php": still will be called. There is simply no way of protecting yourself. Why not store the serialized values into the database and fetch them by id? So you could have "foobar.php?id=20" which is way more secure than foobar.php?file=someArbPathRatty
Or another way of going about it is to completely disable pathing elements like '..', that can solve alot of these sorts of security issues.Glynis
I can't store pre-made values in a database because the script is a JQuery plugin. Users need to be able to enter any relative path. I changed the logic of my script so that the path must be relative (not absolute), the last part of the path must contain "foo" and the file name of the file being included must contain "foo". Will that work?Faires
@ed: The are always ways to escape out of path restrictions. I don't see how jQuery is stopping you from getting data out of the database. It is PHP who will do the work, not jQuery... All you need to do is point jQuery to that PHP file with a proper query string. And if the plugin is really hardcoded in such way that it's impossible to customize it, maybe you should modify the plugin.Ratty
Here's a related question: #1067430Faires

© 2022 - 2024 — McMap. All rights reserved.