current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I'm using JSON to send the javascript script code over to a php script to get packed(encrypted) I'm using Dead Edwrd's PHP Javascript Packer http://joliclic.free.fr/php/javascript-packer/en/index.php The packer works fine but i am facing a weird problem causing the packed results to go wrong.

Here's the original script i want to pack:

<script type='text/javascript'>jwplayer('mediaspace').setup({ 'flashplayer': 'http://www.domain.com/player/player/player.swf', 'file': 'http://doamin.com','image': 'http://www.domain.com/images/background.jpg', 'skin': 'http://www.domain.com/player/skin/glow.zip', 'plugins': 'hd-2,timeslidertooltipplugin-1', 'hd.file': 'http://doamin.com', 'controlbar': 'over', 'stretching': 'exactfit', 'width': '700', 'height': '404' });</script>

I use javascript escape on this script before sending it to my php script

It looks like this after escaped:

%3Cscript%20type%3D%27text/javascript%27%3Ejwplayer%28%27mediaspace%27%29.setup%28%7B%20%27flashplayer%27%3A%20%27http%3A//www.domain.com/player/player.swf%27%2C%20%27file%27%3A%20%27http%3A//domain.com%27%2C%20%20%20%20%20%27image%27%3A%20%27http%3A//www.domain.com/images/background.jpg%27%2C%20%27skin%27%3A%20%27http%3A//www.domain.com/player/skin/glow.zip%27%2C%20%27plugins%27%3A%20%27hd-2%2Ctimeslidertooltipplugin-1%27%2C%20%27hd.file%27%3A%20%27http%3A//domain.com%27%2C%20%27controlbar%27%3A%20%27over%27%2C%20%27stretching%27%3A%20%27exactfit%27%2C%20%27width%27%3A%20%27700%27%2C%20%27height%27%3A%20%27404%27%20%7D%29%3B%3C/script%3E

Then i send this over to my php script using JSON.

PHP script to get the value and packed the script and return the packed script to the javascript:

<?php
$src = $_GET['code'];
$callback = $_GET['callback'];

require 'class.JavaScriptPacker.php';

$packer = new JavaScriptPacker($src, 'Normal', true, false);
$packed = $packer->pack();

$output = array('error'=>'none', 'results'=> $packed , 'source' => $src);
$out_string =  json_encode($output);
echo $callback.'('.$out_string.');';
?>

P/S I have added 'source' to the array , so i can check what exactly php GET.

Now the problem , i don't know why but php is adding backward slashes to the source/$src as shown below:

<script type=\'text/javascript\'>jwplayer(\'mediaspace\').setup({ \'flashplayer\': \'http://www.domain.com/player/player.swf\', \'file\': \'http://domain.com\', \'image\': \'http://www.domain.com/images/ackground.jpg\', \'skin\': \'http://www.domain.com/player/skin/glow.zip\', \'plugins\': \'hd-2,timeslidertooltipplugin-1\', \'hd.file\': \'http://domain.com\', \'controlbar\': \'over\', \'stretching\': \'exactfit\', \'width\': \'700\', \'height\': \'404\' });</script>

This wreck the pack results

Results i wanted:

eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c.toString(a)+'\\b','g'),k[c])}}return p}('<8 g=\'f/e\'>d(\'l\').k({\'j\':\'3://6.5.0/4/4/4.n\',\'7\':\'3://b.0\',\'m\':\'3://6.5.0/i/h.c\',\'9\':\'3://6.5.0/4/9/x.z\',\'o\':\'a-2,w-1\',\'a.7\':\'3://b.0\',\'y\':\'v\',\'u\':\'q\',\'p\':\'r\',\'s\':\'t\'});</8>',36,36,'com|||http|player|domain|www|file|script|skin|hd|doamin|jpg|jwplayer|javascript|text|type|background|images|flashplayer|setup|mediaspace|image|swf|plugins|width|exactfit|700|height|404|stretching|over|timeslidertooltipplugin|glow|controlbar|zip'.split('|')))

BUT the results i got due to the backward slashes(which wreck the script too)

eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('<2 1=\\\'0/3\\\'>4(\\\'7\\\').6({\\\'5\\\':\\\'8:',9,9,'text|type|script|javascript|jwplayer|flashplayer|setup|mediaspace|http'.split('|')))

what am i doing wrong?

share|improve this question

3 Answers 3

up vote 1 down vote accepted

Add this at start of your php script:

if(get_magic_quotes_gpc())
{
    function undo_magic_quotes_array($array)
    {
        return is_array($array) ? array_map('undo_magic_quotes_array', $array) : stripslashes($array));
    }
    $_GET = undo_magic_quotes_array($_GET);
    $_POST = undo_magic_quotes_array($_POST);
    $_COOKIE = undo_magic_quotes_array($_COOKIE);
    $_FILES = undo_magic_quotes_array($_FILES);
    $_REQUEST = undo_magic_quotes_array($_REQUEST);
}
share|improve this answer
    
Use stripslashes instead of your str_replace calls. –  ThiefMaster May 31 '12 at 7:44
    
stripslashes work with string types, but str_replace work with whole array. With stripslashes it wouldnt work for nested arrays –  Vitaly Dyatlov May 31 '12 at 7:47
    
But you never pass an array to that function - if it's an array, you use array_map which calls your function on every item of the array. –  ThiefMaster May 31 '12 at 7:51
    
<input type="text" name="fields[form1][username]" value="some ' unescaped value"/> - this would fail, as array_map goes only through 1st-level elements of an array –  Vitaly Dyatlov May 31 '12 at 7:53
    
But then your function is called recursively so array_map will be used again. –  ThiefMaster May 31 '12 at 7:54
up vote 1 down vote

You probably have magic_quotes turned on which automatically adds the backslash to POST, GET and COOKIE variables.

Disable it in php.ini (it's deprecated as of PHP 5.3 and removed in 5.4 anyway) or simply use stripslashes:

$src = $_GET['code'];
if (get_magic_quotes_gpc())  
  $src = stripslashes($src);

Or you can escape all $_GET variables at once:

$_GET = array_map('stripslashes', $_GET);
share|improve this answer
up vote 0 down vote

It is because of json_encode. You are treating your entire script as if it were a string. Naturally, as a string, it will need \ to escape various characters.

The JSON that would be created here looks something like this:

{
    'error':'none', 
    'results':'eval(...)',
    'source':'...whatever your $src is...'
}

notice that eval(...) and whatever your $src was are now wrapped in quotes. They are strings and various characters must be escaped.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.