More bombs needed
-
-
@PJH Can I just point out those unbalanced quotes are pissing me the hell off? My built-in syntax checker is throwing a fit.
INB4 some tells me the inner one is an apostrophe: if there's any visual difference it's subtle enough not to be noticeable at a glance.
-
Copied from source:
e 'Job's Not Done' o
[root@NCL-DEVELOPER ~]# echo "e 'Job's Not Done' o" | hexdump -C 00000000 65 20 27 4a 6f 62 27 73 20 4e 6f 74 20 44 6f 6e |e 'Job's Not Don| 00000010 65 27 20 6f 0a |e' o.| 00000015 [root@NCL-DEVELOPER ~]#
Yup - they're all the same character.
-
@PJH said in More bombs needed:
Yup - they're all the same character.
To think of all the heartache they could have
‘
saved’
…
-
@Onyx said in More bombs needed:
@PJH Can I just point out those unbalanced quotes are pissing me the hell off? My built-in syntax checker is throwing a fit.
INB4 some tells me the inner one is an apostrophe: if there's any visual difference it's subtle enough not to be noticeable at a glance.
That inner one is an apostrophe. No, there is no difference. It's the same character. It just has different meanings in different contexts.
Do you get all freaked out about apostrophes ordinarily? I used one of them in the preceding paragraph. Is this all an unbalanced quote now?
-
@dkf said in More bombs needed:
@PJH said in More bombs needed:
Yup - they're all the same character.
To think of all the heartache they could have
‘
saved’
…It's actually super fun to try to write a quote fixer that converts
'
and"
to their curly forms correctly.
-
@anotherusername said in More bombs needed:
Do you get all freaked out about apostrophes ordinarily? I used one of them in the preceding paragraph. Is this all an unbalanced quote now?
No, because you didn't wrap it all in quotes, and even if you did it might be long enough for me not to immediately notice.
Look, when you mess with SQL, PHP and JS a lot, and all at the same time, quotation marks start to become very "special". In Postgres double quotes are identifiers while single quotes are strings, in PHP and JS both are strings BUT in PHP double quotes will also parse any enclosed variables. Oh, also, you want some quoted values in your templates? HAVE FUN!
...
I may have had a few tiffs with PHP today...
-
@Onyx What about backticks?
-
@aliceif I recommend them wholehartedly in PHP.
`rm -rf / --no-preserve-root`
is loads of fun on poorly configured servers.
-
@aliceif instant "run the command you specified" shell, unless it's turned off for security. Except inside a single quote where it's a literal. It's possibly (probably) a literal inside double quotes too but I never tried.
Back ticks are the devil's bastard child of
exec
with helpfully slightly different semantics around expansion and globbing.
-
@Arantor said in More bombs needed:
instant "run the command you specified" shell, unless it's turned off for security.
Why would that ever not be turned off?
devil's bastard child of
exec
Why would that ever not be turned off?!
with helpfully slightly different semantics around expansion and globbing.
Burn the heretic!!!
-
@anotherusername it used to be restricted by safe mode, or
shell_exec
being disabled (yes,exec
andshell_exec
are two different things), now it's only ifshell_exec
is disabled... IT ISN'T BY DEFAULT.
-
@Arantor said in More bombs needed:
helpfully slightly different semantics around expansion and globbing
-
@dkf you need an answer beyond 'it's fucking PHP'?
-
@Arantor Not really (it was a rhetorical meme picture) but it seems like extra work. The one permissible option would be if one was going via a route that avoids the shell (direct
execve()
) and the other is via one of the C standard sucky front-ends to it (e.g.,system()
). But I'd guess that most programmers, not understanding the importance of getting this right, would take the path of least resistance and do the second option.
-
@dkf PHP has two routes -
shell_exec
andexec
, of which backticks are functionally equivalent toshell_exec
. And they conform to your two routes that you mention, approximately.Of course, most PHP developers have no idea which is why, or why.
Fortunately most developers don't use them - and fortunately most shared hosts disable one or both. Unfortunately there are plenty of other toys to shoot oneself in the foot with, e.g. process forking.
-
This post is deleted!
-
@aliceif said in More bombs needed:
What about backticks?
Coincidentally, someone posted on FB a while ago, an image macro about debugging shell scripts, and it involved adding/removing quotes. I made a joke about if that doesn't work, try adding backquotes, in the comments.