Dynamic generation of PHP code in PHP: Security practice and syntax processing skills

This tutorial explores the issue where PHP is missing the tag and $variable when writing a string containing PHP code. The article highlights best practices for sensitive data storage, such as using JSON or database and storing it outside the web root directory. At the same time, it also introduces in detail how to correctly handle PHP syntax through techniques such as escaping and switching reference methods when it is really necessary to generate PHP code dynamically to ensure that the code is generated and executed as expected.

Understand the root cause of the problem

When a PHP script tries to write a string containing a snippet of PHP code (such as tag or $variable) to a file, you may encounter the problem that these special syntax elements are "swallowed" or incorrectly interpreted. This is mainly because when PHP processes double quoted strings, it parses its contents, trying to find and replace variables. For example, $passwords in "$passwords" will be treated by the PHP interpreter as a variable in the current scope, and if the variable is undefined, it will be replaced with an empty string. Similarly, structures like

In the original sample code, the developer attempted to write a string containing the definition of the PHP array to a file:

 <?php $txt = "<?php $passwords = array(
    &#39;login1&#39; => 'password1',
    'login2' => 'password2',
    'login3' => 'password3',
);?>";
$myfile = fopen("htpassw_array.php", "w") or die("Unable to open file!");
fwrite($myfile, $txt);
fclose($myfile);
?>

However, the output file htpassw_array.php lacks the tag and $passwords variable name, leaving only:

 = array(
    'login1' => 'password1',
    'login2' => 'password2',
    'login3' => 'password3',
);

This explicitly states that PHP preprocesses and interprets its contents before writing the string $txt to a file.

Priority recommendations: Best practices for data storage

In many cases, it is not best practice to try to write data to a file in the form of PHP code, especially when it comes to sensitive information (such as passwords). Directly place the PHP file containing the password in a directory accessible to the web server, which poses serious security risks. Users may download or view these sensitive data by directly accessing the URL (e.g. https://example.com/htpassw_array.php).

1. Avoid storing sensitive data in the web root directory

Any file containing sensitive information, regardless of its format (PHP, JSON, TXT, etc.), should not be placed directly in the root directory or its subdirectories of the web server. Such files should be stored in private directories outside the web root directory (such as /home/youruser on Linux systems or C:/Users/youruser on Windows systems).

2. Use a format that is more suitable for data storage

For structured data, PHP code files are not the only choice, or even the best choice. Here are a few more recommended data storage methods:

• JSON format: JSON (JavaScript Object Notation) is a lightweight data exchange format that is easy to read and write by people, and is also easy to machine parse and generate. PHP has built-in json_encode() and json_decode() functions, which can easily convert PHP arrays into JSON strings and store them.

  Example: Store password array as a JSON file (and place it outside the web root directory)

   <?php $password_data = array(
      &#39;login1&#39; => 'password1',
      'login2' => 'password2',
      'login3' => 'password3',
  );
  
  // It is recommended to store files outside the web root directory, such as /home/myuser/data/
  $file_path = "/home/myuser/data/htpassw_array.json"; 
  
  // Encode the PHP array into JSON string $json_content = json_encode($password_data, JSON_PRETTY_PRINT);
  
  $myfile = fopen($file_path, "w") or die("Cannot open the file for writing!");
  fwrite($myfile, $json_content);
  fclose($myfile);
  
  echo "The data has been successfully written to: " . $file_path . "\n";
  ?>

  When you need to read data, you can do this:

   <?php $file_path = "/home/myuser/data/htpassw_array.json"; 
  if (file_exists($file_path)) {
      $json_content = file_get_contents($file_path);
      $password_data = json_decode($json_content, true); // true means decoded as an associative array print_r($password_data);
  } else {
      echo "The file does not exist.\n";
  }
  ?>

• var_export(): The var_export() function can output or return a parsable string representation of a variable. This means you can save PHP variables as PHP code and reimport them via include or require if needed. Compared with json_encode(), it generates PHP code, but also needs to pay attention to the file location.

   <?php $password_data = array(
      &#39;login1&#39; => 'password1',
      'login2' => 'password2',
      'login3' => 'password3',
  );
  
  $file_path = "/home/myuser/data/htpassw_array_export.php"; 
  
  // Generate parsable PHP code string $php_content = "<?php \n\nreturn " . var_export($password_data, true) . ";\n\n?>";
  
  $myfile = fopen($file_path, "w") or die("Cannot open the file for writing!");
  fwrite($myfile, $php_content);
  fclose($myfile);
  
  echo "The data has been successfully written to: " . $file_path . "\n";
  ?>

  When reading:

   <?php $file_path = "/home/myuser/data/htpassw_array_export.php"; 
  if (file_exists($file_path)) {
      $password_data = require $file_path; // Use require to return the variable print_r($password_data);
  } else {
      echo "The file does not exist.\n";
  }
  ?>

3. Ultimate solution: Use database

Databases (such as MySQL, PostgreSQL, SQLite, etc.) are the best choice for user authentication, configuration, or any data that requires persistent storage and efficient query. The database provides advanced functions such as transactions, indexing, permission management and data integrity, far exceeding file storage.

Dynamically generate PHP code: syntax processing skills

Although it is not generally recommended to store data as executable PHP code, in certain specific scenarios (such as code generators, automated deployment scripts, or dynamic creation of complex configuration files), PHP code does need to generate other PHP code. In this case, correct syntax processing techniques must be mastered to prevent the PHP interpreter from parsing special characters in the string in advance.

1. Use backslashes to escape special characters

In double quoted strings, the $ symbol is an indicator of a PHP variable. In order for PHP to treat it as a literal rather than a variable, you need to escape with a backslash\.

Example: Escape $ symbol

 <?php $txt = "<?php \$passwords = array(
    &#39;login1&#39; => 'password1',
    'login2' => 'password2',
    'login3' => 'password3',
); ?>";
$myfile = fopen("htpassw_array_escaped.php", "w") or die("Cannot open the file!");
fwrite($myfile, $txt);
fclose($myfile);

echo "File htpassw_array_escaped.php has been generated.\n";
?>

Output file htpassw_array_escaped.php content:

 <?php $passwords = array(
    &#39;login1&#39; => 'password1',
    'login2' => 'password2',
    'login3' => 'password3',
); ?>

2. Switch string reference method

PHP handles single and double quoted strings in different ways. In single quote strings, PHP does not parse variables or most escape sequences (except \' and \\). This means that if your target string contains the $ symbol, but you want it to be treated as a literal, then using a single quote string is a cleaner way to do this.

Example: Using single quote strings

 <?php $txt = &#39;<?php $passwords = array(
    "login1" => "password1",
    "login2" => "password2",
    "login3" => "password3",
); ?>'; // Note that single quotes are used here, and the internal string values ​​use double quotes $myfile = fopen("htpassw_array_single_quote.php", "w") or die("Cannot open the file!");
fwrite($myfile, $txt);
fclose($myfile);

echo "File htpassw_array_single_quote.php has been generated.\n";
?>

Output file htpassw_array_single_quote.php content:

 <?php $passwords = array(
    "login1" => "password1",
    "login2" => "password2",
    "login3" => "password3",
); ?>

3. String stitching

While backslash escapes or single quotes are usually more direct for $variable symbols, string splicing can be used for other structures that may be interpreted by PHP (such as

Example: Using string stitching

 <?php $txt = "<?php "."$"."passwords = array(
    &#39;login1&#39; => 'password1',
    'login2' => 'password2',
    'login3' => 'password3',
); ?>";
$myfile = fopen("htpassw_array_concatenated.php", "w") or die("Cannot open the file!");
fwrite($myfile, $txt);
fclose($myfile);

echo "File htpassw_array_concatenated.php has been generated.\n";
?>

Output file htpassw_array_concatenated.php content:

 <?php $passwords = array(
    &#39;login1&#39; => 'password1',
    'login2' => 'password2',
    'login3' => 'password3',
); ?>

This approach may appear redundant when dealing with $variable, because PHP does not "double interpretation" strings, but in some edge cases it provides greater control.

Verify the generated code

Regardless of the method used to generate the PHP file, verification should be performed to ensure that its content is correct and executable.

Verification example:

Suppose we successfully generated the htpassw_array.php file, with the following content:

 <?php $passwords = array(
    &#39;login1&#39; => 'password1',
    'login2' => 'password2',
    'login3' => 'password3',
); ?>

We can introduce the file through require_once and use var_dump to check the contents of the $passwords variable:

 <?php require_once("htpassw_array.php"); // Assume that the file is var_dump($passwords);
?>

Expected output:

 array(3) {
  ["login1"]=>
  string(9) "password1"
  ["login2"]=>
  string(9) "password2"
  ["login3"]=>
  string(9) "password3"
}

If the output is consistent with expectations, it means that the generated PHP code is valid.

Summary and precautions

• Security first: Do not store sensitive data in the form of executable PHP code under a path accessible to the web server unless absolutely necessary. Priority is given to JSON/var_export files outside the database or web root directory.
• Understanding PHP string parsing: Mastering the difference between single quotes and double quotes strings, as well as the special meaning of the $ symbol in double quotes, is the key to correctly generating PHP code.
• Tip: For simple variable names, backslash escape or switching to single quote strings is usually the most straightforward and efficient way to do it. For more complex PHP code generation, template engines or finer string operations may be more suitable.
• Code generation scenario: Dynamically generating PHP code is mainly suitable for specific development tools such as code generators and automated scripts, rather than daily data storage.
• Always Verification: Always conduct adequate testing and verification before using any dynamically generated code in a production environment.

The above is the detailed content of Dynamic generation of PHP code in PHP: Security practice and syntax processing skills. For more information, please follow other related articles on the PHP Chinese website!