Search for a crook <! ----> in PHP

Question

Search for a crook <! ----> in PHP

This is: 

This ... this ... thing. Right there.

7 evil characters, forcing IE to display all the pages with it at the top, as in quirks mode:

 <!----><!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8">

If this is not evil, I do not know what it is, because it is, of course, not in my template file, since the first few lines of this:

 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <?php $this->outputHead(); ?> </head>

Of course, I don't see any problems in my actual output code:

 function build() { if ($this->disabled) { return $this->content; } else { global $footer; ob_start(); $location = $this->location; include($this->location['theme_nr'].'/overall.php'); return ob_get_clean(); } } function outputAll() { // stop capturing everything $this->content = ob_get_clean(); // build the page echo $this->build(); }

I just do not understand. How did this thing get into my code?

I just can imagine that the bit > at the end turns into a smile, and the thing laughs at me.

He pursues my dreams, he kills my cats, I don’t know what he is going to do next, but he is going to kill something.

Help me, gods of web development!

EDIT: Just a note, it appears in all browsers, but it looks like he is an IE basketball player and none of the others.

+6

html php

unrelativity Dec 04 '09 at 6:00

source share

5 answers

unrelativity · Answer 1 · 2009-12-04T07:06:12+0000

I found the culprit.

Somehow, the kludge that I have in the function to hide the MySQL error causes problems in only one of my branches, although the function where it called did not change between the two branches either.

For those interested, this code:

 function isexistinguser($uname,$pwd) { global $location; $uname = mysql_real_escape_string($uname); $result = mysql_query("SELECT * FROM users WHERE user_username = '$uname'"); $hit = 0; $rowcounted = false; $salt = ''; echo '<!--'; // cheap fix for mysql error - FIND A BETTER WAY! while($row = mysql_fetch_array($result)) { // Do stuff to figure out what to return } echo '-->'; // cheap fix for mysql error - FIND A BETTER WAY! return array($hit,$salt); }

Mitmaro · Answer 2 · 2009-12-04T06:06:39+0000

I looked at the git repository you posted and it is not contained inside. You can try diff from the copy on github to your current copy, as there is a change in your changes.

If you use an IDE, do a global file search for the character string. These kinds of "mistakes" can be unpleasant.

Derek h · Answer 3 · 2009-12-04T06:16:07+0000

It looks like a situation where grep is convenient if you can use it either through cygwin or directly on Linux. A quick example of a simple file search with this HTML comment

 grep -R "<\!---->" ./*

This should narrow your search.

Arkh · Answer 4 · 2009-12-04T09:30:32+0000

About your error handling. The first way to handle this is to define and use your own handlers instead of php default with set_error_handler .

As a simple fix, change this line: $result = mysql_query("SELECT * FROM users WHERE user_username = '$uname'"); with something like this:

 $result = mysql_query("SELECT * FROM users WHERE user_username = '$uname'"); if(!$result || !is_resource($result){ return array(0, ''); }

To end this, I recommend that you check your PDO for database usage.

pcp · Answer 5 · 2009-12-04T19:51:31+0000

I would look for the string "evil":

grep -R '\-\->' /your/folder

Search for a crook <! ----> in PHP

More articles: