What is the best way to escape Python strings in PHP? -

-

i have php application needs output python script, more bunch of variable assignment statements, eg.

subject_prefix = 'this string user input' msg_footer = """this 1 too."""

the contents of subject_prefix et al need written take user input; such, need escape contents of strings. writing following isn't going cut it; we're stuffed uses quote or newline or else i'm not aware of hazardous:

echo "subject_prefix = '".$subject_prefix."'\n";

so. ideas?

(rewriting app in python isn't possible due time constraints. :p )

edit, years later:

this integration between web-app (written in php) , mailman (written in python). couldn't modify install of latter, needed come way talk in language manage configuration.

this really bad idea.

do not try write function in php. inevitably wrong , application inevitably have arbitrary remote execution exploit.

first, consider problem solving. presume trying data php python. might try write .ini file rather .py file. python has excellent ini syntax parser, configparser. can write obvious, , potentially incorrect, quoting function in php , nothing serious happen if (read: when) wrong.

you write xml file. there many xml parsers , emitters php , python me list here.

if really can't convince terrible, terrible idea, can @ least use pre-existing function python has doing such thing: repr().

here's handy php function run python script you:

<?php  function py_escape($input) {     $descriptorspec = array(         0 => array("pipe", "r"),         1 => array("pipe", "w")         );     $process = proc_open(         "python -c 'import sys; sys.stdout.write(repr(sys.stdin.read()))'",         $descriptorspec, $pipes);     fwrite($pipes[0], $input);     fclose($pipes[0]);     $chunk_size = 8192;     $escaped = fread($pipes[1], $chunk_size);     if (strlen($escaped) == $chunk_size) {         // important security.         die("that string's big.\n");     }     proc_close($process);     return $escaped; }  // example usage: $x = "string \rfull \nof\t crappy stuff"; print py_escape($x);

the chunk_size check intended prevent attack whereby input ends being 2 long strings, ("hello " + ("." * chunk_size)) , '; os.system("do bad stuff") respectively. now, naive attack won't work exactly, because python won't let single-quoted string end in middle of line, , quotes in system() call quoted, if attacker manages line continuation ("\") right place , use os.system(map(chr, ...)) can inject code run.

i opted read 1 chunk , give if there more output, rather continuing read , accumulate, because there limits on python source file line length; know, attack vector. python not intended secure against arbitrary people writing arbitrary source code on system area unlikely audited.

the fact had think of this trivial example example of why shouldn't use python source code data interchange format.


Comments

Post a Comment

Popular posts from this blog

c++ - How do I get a multi line tooltip in MFC -

-
right now, have tool tip pops when hover on edit box. problem tool tip contains multiple error messages , in 1 long line. need have each error message on own line. error messages contained in cstring new line seperating them. my existing code below. bool ontooltiptext(uint, nmhdr* pnmhdr, lresult* presult) { assert(pnmhdr->code == ttn_needtexta || pnmhdr->code == ttn_needtextw); // need handle both ansi , unicode versions of message tooltiptexta* pttta = (tooltiptexta*)pnmhdr; tooltiptextw* ptttw = (tooltiptextw*)pnmhdr; // tchar szfulltext[256]; cstring strtiptext=_t(""); uint nid = pnmhdr->idfrom; if (pnmhdr->code == ttn_needtexta && (pttta->uflags & ttf_idishwnd) || pnmhdr->code == ttn_needtextw && (ptttw->uflags & ttf_idishwnd)) { // idfrom hwnd of tool nid = ::getdlgctrlid((hwnd)nid); } //m_errprojaccel[ch] contains 1 or more error messages each...
Read more

asp.net - In javascript how to find the height and width -

-
i having .aspx , masterpage page. in masterpage loading aspx page . in aspx page design using generating table structure using code-behind server in javascript how find height , width . regards, kumar if you're looking table height , width, should it var tbl = document.getelementbyid('tbldemo'); alert(tbl.offsetwidth + '\n' + tbl.offsetheight);
Read more

c# - DataTable to EnumerableRowCollection -

-
i have datatable according client requirement can contain invalid date "00/00/1999",null,empty string.(typed datset) when collect them enumerables wish convert of invalid forms empty string. (i.e) enumerablerowcollection<datarow> query = order in _table.asenumerable() select new { orderdate= string.isnullorempty(convert.tostring(order.field<datetime>("orderdate")) || (how check date invalid date) ? string.empty : order.field<datetime>("orderdate") } how check whether date valid date or not? datetime.tryparse...like given current code: datetime date; enumerablerowcollection<datarow> query = order in _table.asenumerable() select new { orderdate= string.isnullorempty(convert.tostring(order.field<datetime>("orderdate")) || !datetime.tryparse(convert.tostring(order.field<datetime...
Read more