Base64 encoding/decoding

  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 378
  • Loc: Canada

Post 76 days ago

I am getting familiar with base64 encoding and have the following questions.

First, I want to encode the following php script line:

echo "this is <br /><br/>$en64<br />now";

I let $en64 = 'echo "this is <br /><br/>$en64<br />now";'

I then encode by :
print_r(base64_encode($en64));
which gives:
ZWNobyAidGhpcyBpcyA8YnIgLz48YnIvPiRlbjY0PGJyIC8+bm93Ijs=

I then let $de64 = 'ZWNobyAidGhpcyBpcyA8YnIgLz48YnIvPiRlbjY0PGJyIC8+bm93Ijs='
I then decode by:
print_r(base64_decode($de64));
which gives:
echo "this is

$en64
now";

I expected to see :
echo "this is <br /><br/>$en64<br />now";

but instead the breaks are not shown but actually performed.

I went to a few sights that used base64 coding and found that some did actually show exactly what I inputted and others did not show but actually performed the breaks.

I would like to see the decoded script exactly as it was inputted and not implements as done for the breaks.

Anyone got any idea why this happens on some sites and not others.
Is it the ouput character set that is used or what
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9193
  • Loc: Seattle, WA & Phoenix, AZ

Post 76 days ago

If you are viewing this in your browser, yes it would be valid HTML and would actually cause breaks. If you view the source you would see exactly the text you would expect.

If you don't want the HTML to actually be parsed by the browser, then use:

PHP Code: [ Select ]
htmlspecialchars($somestring)


http://php.net/manual/en/function.htmlentities.php
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 378
  • Loc: Canada

Post 75 days ago

Hi Bigwebmaster

Got it working
Seems I can use either
htmlspecialchars or htmlentities

I ran into another situation.

I have the following $str:
echo 'This is <br /> test for <br /> break and <b>bold</b><br />'; echo 'the break'; die();

If I use:
echo htmlentities($str), I get the above;
echo 'This is <br /> test for <br /> break and <b>bold</b><br />'; echo 'th break'; die();

Rather than create each string, I created an HTML textarea box to input any script and then post so that
$str = $_POST['text'];

When posted and I use:

echo htmlentities($str), I get:

echo \'This is <br /> test for <br /> break and <b>bold</b><br />\'; echo \'the break\'; die();

It looks like escape \ was added to any part that had quotes.

This only occurs when I post.
It works OK if I just manually set up the string.

Any ideas why POST is adding the escape slashes. This results in the wrong encoding
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 378
  • Loc: Canada

Post 75 days ago

By accident I came across a site that had the same problem

They indicated it was magic_quotes which existed in older php and was going to be removed and so to turn it off in your php.ini

If you do not have access to php.ini you can use the following php code to check and turn it off at start up.

Code: [ Select ]
<?php

//This turns off magic quotes which adds escapes to $_POST variables

if (get_magic_quotes_gpc()) {
  $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
  while (list($key, $val) = each($process)) {
    foreach ($val as $k => $v) {
      unset($process[$key][$k]);
      if (is_array($v)) {
        $process[$key][stripslashes($k)] = $v;
        $process[] = &$process[$key][stripslashes($k)];
      } else {
        $process[$key][stripslashes($k)] = stripslashes($v);
      }
    }
  }
  unset($process);
}

?>
  1. <?php
  2. //This turns off magic quotes which adds escapes to $_POST variables
  3. if (get_magic_quotes_gpc()) {
  4.   $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
  5.   while (list($key, $val) = each($process)) {
  6.     foreach ($val as $k => $v) {
  7.       unset($process[$key][$k]);
  8.       if (is_array($v)) {
  9.         $process[$key][stripslashes($k)] = $v;
  10.         $process[] = &$process[$key][stripslashes($k)];
  11.       } else {
  12.         $process[$key][stripslashes($k)] = stripslashes($v);
  13.       }
  14.     }
  15.   }
  16.   unset($process);
  17. }
  18. ?>


Once I added the script it worked perfectly
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 378
  • Loc: Canada

Post 70 days ago

I have the following php script to decode some base64 encoded text shown below:

Code: [ Select ]
<?php
//Below is the base64 encoded text
$en64 = "ZWNobyAiVGhpcyBpcyBiYXNlNjQgZW5jb2RlZCB0ZXh0Ijs=";
eval("?>".base64_decode($en64));
?>
  1. <?php
  2. //Below is the base64 encoded text
  3. $en64 = "ZWNobyAiVGhpcyBpcyBiYXNlNjQgZW5jb2RlZCB0ZXh0Ijs=";
  4. eval("?>".base64_decode($en64));
  5. ?>


When I run the script the eval() returns the following:

echo "This is base64 encoded text";

The php tags are also shown.

If I change the php script as shown below:

Code: [ Select ]
<?php
//Below is the base64 encoded text
$en64 = "ZWNobyAiVGhpcyBpcyBiYXNlNjQgZW5jb2RlZCB0ZXh0Ijs=";
eval(base64_decode($en64));
?>
  1. <?php
  2. //Below is the base64 encoded text
  3. $en64 = "ZWNobyAiVGhpcyBpcyBiYXNlNjQgZW5jb2RlZCB0ZXh0Ijs=";
  4. eval(base64_decode($en64));
  5. ?>


When I run the script the eval() returns the following:

This is base64 encoded text

As can be seen, with the removal of "?>". the php tags are not shown.
You get only the decoded base64 text.

I am not sure how this is happening.

It is interesting that the addition of "?>". seems to return the php script that was actually encoded, not the php executed text.

Can someone explain this to me as this is quite intriguing and can have some good uses.

Thanks
  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3423
  • Loc: Richland, WA

Post 68 days ago

I do not have an exact answer for you, but I can give you a reasonable guess as to why this would happen. When using `eval` you are taking a string and evaluating it as php in your current context (you have access to all the variables and you can even change them). But it's really being evaluated separately. So when you add the closing php tag `?>` you are stepping out of the php execution context and telling the engine to just return the string, much the same way you might do in other places. Because the evaluation is separate, you are not closing the originals codes php execution, so any code after the eval will still be ran normally.
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 378
  • Loc: Canada

Post 67 days ago

Thanks for your response.

What I have gathered then is as follows:

eval() evaluates the string given as PHP code and so is a method of running PHP code.

We just treat anything you feed to eval as if it was a normal PHP script that just so happens to have a <?php opening tag magically applied to it.

If we prepend "?>". (with the dot) to the PHP code, this will cause an exit in PHP mode as the first thing in the eval block, eval will just treat that text as normal output, just like a full-blown PHP script would.

This means then that when we prepend "?>". to the PHP code we go into HTML mode before evaluating it.

Post Information

  • Total Posts in this topic: 7 posts
  • Users browsing this forum: No registered users and 25 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2017. Ozzu® is a registered trademark of Unmelted, LLC.