PHP form as a resource - interpreted as text

PHP form as a resource - interpreted as text

by Andrew Lian -
Number of replies: 17

Dear All,

I am learning moodle and find it very interesting.

I am interested in uploading a resource consisting of a .php file. Running the file would enable information to be sent to a database.

The problem I have is that when I link to the php file, it appears as text and does not execute as a .php file.

.html and .pdf and .doc files are all interpreted correctly. My browser interprets .php files correctly.

I suspect there is a security issue underneath this problem but I am not sure of this and I still want to be able to run my .php forms.

Thanks for everyone's help. It is appreciated

Andrew

Average of ratings: -
In reply to Andrew Lian

Re: PHP form as a resource - interpreted as text

by Sarah Woods -

I've had the same problem. Near as I can tell, if you've set up your image/file storage directory as instructed (in the Moodle installation instructions)  in a FTP folder, it doesn't execute php. Technically, it's outside the "webserver" and php is a server-based language. So if you're in Moodle and upload a php file as a resource, it's *actually* sitting in a directory that doesn't know what to do with php and therefore will just display the contents of the file.

So I placed the .php file within the Moodle directory and then linked it as a web link instead. I did it with Martin's image gallery file and it works really well. In that case, I also had to change the permissions on the php file to make sure it could write, because it makes thumbnails etc. on the fly.

I'm not happy with my solution, because I would love to be able to run this great little gallery from every one of my Moodle classrooms, but as it stands it would be a logistical nightmare to set up.

if anyone has a more eloquent idea, I'm all ears!

Average of ratings: -
In reply to Sarah Woods

Re: PHP form as a resource - interpreted as text

by Andrew Lian -

Thanks very much Sarah.

Yes I had also thought that might be the problem but was hoping that it wasn't. But I think you are absolutely right.

My problem is actually a security issue. If people know the URL of my forms, they may be able to access the php file directly unless the files are outside the "webserver". At least that's what happens with CMS systems like phpnuke. I have not tried this with moodle yet.

As my files write to a mysql databse, I want the forms to be as secure as possible - otherwise my database will get hacked. I would like to insist that my users login before accessing the php files.

I will try your suggestion Sarah, but if you are able to tell me if your setup is secure that would be great.

Thanks - Andrew

Average of ratings: -
In reply to Andrew Lian

Re: PHP form as a resource - interpreted as text

by Jan Dierckx -
Andrew,
You can always add one of the checks that are built into the Moodle API (Take a look here and browse the moodlelib.php file)
If you include moodle's config.php in your program, then you can check if some one is logged in with require_login();
And you can check if it is a teacher / student / etc...
Another option is to use on eof the newly revamped resource styles: the program resource. With it you can pass user / course information from Moodle to an outside PHP application. Then you can check someones credentials inside your application.
Average of ratings: -
In reply to Andrew Lian

Re: PHP form as a resource - interpreted as text

by Sarah Woods -
I can't vouch for the security one way or another, I don't know enough about it. Technically speaking, someone could access the php file directly. But I think there's a big difference between being able to look at a form and hack a database. Then again, perhaps I'm being naive.
Average of ratings: -
In reply to Sarah Woods

Re: PHP form as a resource - interpreted as text

by Jan Dierckx -

Sarah,

(off topic, concerning your question about Martin's PhotoFrame)

Here is my try at turning this 'great little gallery' into a Moodle module.

You might want to read this discussion to find out about all the bugs that I added to Martin's code tongueout

I'm not sure I know enough PHP to get rid of all of them.mixed

Average of ratings: -
In reply to Sarah Woods

Re: PHP form as a resource - interpreted as text

by N Hansen -
You know, I know nothing about php but I came across what seemed like a very well documented and easy to use php tellafriend recommendation form that I wanted to incorporate into my site and I spent all afternoon the other day configuring it as I wanted it only to find it wouldn't work. Tried pasting it into a resource, tried linking to it as a resource-nothing. I was extremely frustrated by this because I felt that in a way Moodle's structure was now preventing me from implementing something that otherwise should be fairly easy to use. I've been able to find a work around for everything else I wanted to do with my site even if it weren't already in Moodle so far except this recommendation form and I really was disheartened by it. I guess I have to wait until someone incorporates such a module into Moodle itself...sad
Average of ratings: -
In reply to N Hansen

Re: PHP form as a resource - interpreted as text

by Andrew Lian -

Thanks everyone for the feedback.

The problem I have is common to lots of content management systems (CMS) and I think Sarah's analysis is exactly correct. It's just that I would have thought there was enough demand for the kind of thing I am trying to do to build into CMS systems the sort of facility I am thinking of. There must be a way of playing with sessions etc. to make it happen without every user of every CMS having to hack the system's code.

The issue of whether my use of php forms is in itself a security risk is another issue and I am aware there is a potential risk. Thank you to Bill for pointing it out.

cheers

andrew

Average of ratings: -
In reply to N Hansen

Re: PHP form as a resource - interpreted as text

by Bob Gettings -
The way that I usually integrate other php applications as a resource is

1. Set up the application to run independently in a different folder.
2. the application will probably have a URL for the page or form produced by php. Copy this URL and paste it as a web page resource.

For example my moodle independant wiki site:

http://bgettings.com/wiki/erfurtWiki/index.php?page=Indivdiual+Topics

This has worked for me many times.

Bob
Average of ratings: -
In reply to Bob Gettings

Re: PHP form as a resource - interpreted as text

by Jan Dierckx -

Agreed, it can be hard to integrate other pieces of code into Moodle (By the way, Bob, ErfurtWiki is now completely integrated into Moodle 1.4 !)

I don't understand N's remark that ...

in a way Moodle's structure was now preventing me from implementing something that otherwise should be fairly easy to use.

If it has not (or not yet -  look at the rate at which Moodle is developing) been turned into a Moodle module, it's always possible to install it as a completely seaparate application and then link to it from within Moodle, just like one would with a webpage resource. (as Bob suggested)

Of course the application will show that it's not a part of Moodle (theme / navigation / ...) but this would also be the case (I think) if one were to integrate it into one's own webspace: it would be just as difficult to make it look like the site's other pages. I don't understand the otherwise should be fairly easy to use part of N's remark. How can Moodle take away the ease of implementation of another application?

(N., I don't know anything about CSS and styles etc... I'm still using Moodle's original themes. Is that what you are referring to? Is Moodle's look making it more difficult to implement other applications without it being too obvious to the students using it...?)

 

 

Average of ratings: -
In reply to Jan Dierckx

Re: PHP form as a resource - interpreted as text

by N Hansen -
I'm not talking about themes at all. That is fixable in most cases. I'm talking about the way in which Moodle acts upon content in a technical way. You can't simply add php code to a page within Moodle, as Moodle modifies it when it gets processed through Moodle. But I'm not a programmer so I really don't understand exactly what is going on so you can take what I say on this matter with a grain of salt.wink
Average of ratings: -
In reply to N Hansen

Re: PHP form as a resource - interpreted as text

by Bill Burgos -
Hello n,

I can understand the frustration that you feel of not being able to just drop in some php code and have Moodle process it for you. sad

PHP is a very powerful language that does quite a bit more than deliver html language to a web browser. It can actually perform regular computer code functions and can run like any other program. It even runs by the command line. Which means that there does not have to be any user interaction or homepage request. wide eyes

The danger of having Moodle as open as you suggest is that anyone can either with malicious intent or by mistake can do quite a bit of damage (delete files, databse entries, send spam, and other potentially nasty things I wouldn't know myself). surprise

You can take a look at some of the built in 'functions' of php at:

http://www.php.net/

and

http://www.php.net/manual/en/funcref.php

for the function reference.

If an average programmer puts any of these functions in the php code and drops it into Moodle and Moodle parses it, a lot of damage can be done with the site.

There are ways to work around it in that you can link or process your php code outside of the Moodle enviorment and give it the appearance of being integrated, some have already been mentioned. wink
Average of ratings: -
In reply to Bill Burgos

Re: PHP form as a resource - interpreted as text

by Chardelle Busch -
Picture of Core developers

I'm not sure if this is what you are wanting to do, and I am no expert, but I do use php forms on my site.  The form itself is an html file, which is "sent" to the php file, e.g.:  <form id="form" method="post" action="report.php" enctype="multipart/form-data">

I have both the html and the php files in a "forms" folder on my site (separate from my Moodle folder).  Then, I just link the html file as a resource.  The form data is then sent via email. 

This is not ideal, as the data does not get entered into the database (I use it mostly for a feedback questionnaire). 

You might want to go to the bug tracker and take a look at the requested Data Module.

Chardelle

Average of ratings: -
In reply to Chardelle Busch

Re: PHP form as a resource - interpreted as text

by Andrew Lian -

Hi Chardelle and thanks

My files do similar things to yours. My issue is a security issue. I want the files to be accessed only by people who have logged into moodle. I do not want the files to be available to the general public.

The solution that was pointed to by Bill Burgos which is to include some moodle code to check whether someone is logged in may be a good idea. It does mean though that I would have to hack my php files (which are produced by Codecharge) but it seems pretty easy. I would also have to put them into my site rather than outside.

I guess I just keep hoping that there are some automated systems which will let me do what I want...

ciao

Andrew

Average of ratings: -
In reply to Bob Gettings

Re: PHP form as a resource - interpreted as text

by Andrew Lian -

Hi Bob

Thanks for your feedback. I will try it out. But... How does this arrangement protect the php application from unauthorised access? Basically, I need the php application to be available only once the user has logged into moodle.

cheers

andrew

Average of ratings: -
In reply to Sarah Woods

Re: PHP form as a resource - interpreted as text

by N Hansen -
Sarah-Could you explain in more detail what you mean when you say you put the php file Moodle directory? Directly in the Moodle directory? I'm slightly confused because I don't have my Moodle in a separate directory-it's at the top level of my site so I don't have a directory called "Moodle."

Since I simply want to add a php form that I want to be accessible to the whole world, not just registered site users, does this mean I don't have to worry security-wise? I presume the security concerns that people have raised are threats to the file itself when it is a resource that is outside of the normal protection of a course? Does putting a php page that is not secure within a directory pose any threat security-wise to other files, or is it only a security threat to itself?

I'm starting to feel hopeful again about getting this up and running!
Average of ratings: -
In reply to Andrew Lian

Re: PHP form as a resource - interpreted as text

by Bill Burgos -
Hi Andrew,

Having Moodle execute PHP code in the manner you describe is a security risk.
See here:

http://moodle.org/mod/forum/discuss.php?d=895

HTH,

Bill
Average of ratings: -
In reply to Bill Burgos

Re: PHP form as a resource - interpreted as text

by Andrew Lian -

Thanks Bill,

I have visited the link you mention and it looks to me as though some of the code-hacking suggestions would work. Will have to spend some time on it.

cheers

andrew

Average of ratings: -