All geek questions in one place

Does file_get_contents and readfile execute PHP code?

I was always sure that the PHP functions file_get_contents and readfile execute any PHP code in any files - regardless of the type of file - that are issued to it. I tried this on several settings and it always worked.

I got a question about this here , and the user seems to think that this is not the case.

I looked at the PHP documentation for functions and they don't mention code execution (what would I expect if this usually happens, as it has serious security implications).

I also searched for it and found many statements that functions do not execute PHP code. For instance:

readfile does not execute code on your server, so there is no problem. a source

The search for "php file_get_contents code execution" also returns various questions trying to execute the extracted PHP code, which seems strange if it really did execute any given PHP code.

I also found one question that asks about not executing PHP code, so the execution seems to be happening with others.

So my questions are:

  • execute file_get_contents and readfile execute php code in extracted files?
  • Does it depend on some php.ini settings? If so, what settings (s)?
  • Does it depend on the version of PHP, and if so, which versions are affected?
  • If this is not the case, what could be the reason that they are executing PHP code in my settings?
+5
source share
2 answers

file_get_contents and readfile do not execute code. All they do is return the original contents of the file. It can be text, PHP code, a binary file (for example, image files) or something else. No interpretation of the contents of the files occurs at all.

The only situation in which execution may seem to be running is:

  • Tags
  • <?php ?> will most likely be hidden by the browser because it is trying to interpret them as HTML tags, so this can cause PHP to disappear and therefore be executed.
  • You read a source that executes code, for example. when reading from http://example.com/foo.php . In this case, the functions have the same effect as visiting these URLs in a web browser: the serving web server executes the PHP code and returns the result, but file_get_contents just gets this result and returns it.
+7
source

These functions are described in the "Function Reference / File System Associated Extensions / File System" section of the manual, while the code execution function is described in the "Function Reference / Process Control Extensions" section.

I am sure that the misunderstanding is due to some widespread confusion between the file system and the network, which further aggravated the function of PHP streams, which provides protocol shells that allow using the same functions to transparently open any resources: local files, network resources compressed archives, etc. I see endless posts here where someone is doing something like this:

 file_get_contents('http://example.com/inc/database.inc.php');

... and wonders why he does not see this database connection. And the answer is clear: you are not uploading the file, you are getting the URL. As a result, the code inside database.inc.php effectively executed ... albeit indirectly.

+6
source

Source: https://habr.com/ru/post/1246660/

More articles:


All Articles