Server 1 : Post a name variable to server 2. (e.g. "Adam")
Server 2 : Receives the post variable and makes a new control from it as follows which displays Adam as the value.
<input name="name" value="<?php echo $_POST['name']; ?>" />
Wich renders finally :
<input name="name" value="Adam" />
Now my question is as follows, i want to pass certain PHP code in the post variable name, so that i am able to run it on SERVER 2.
For example <?php echo "foo"; ?> is passed as post variable so that server 2 render it in html.
Is this possible?
If yes, how can it be done?
If No, What is reason behind it as i know the variable being passed is being compiled by the server and php is a server side script.
Yes it is possible to post PHP code to another page and then use the PHP function eval() to process it. (The string you are evaluating must have a return instruction to allow for any kind of response $return = eval("return 5;")
HOWEVER, I would not recommend it, it's very very open to malice.
Not sure what you aim.
If you want to display "foo" in the Server2-form, it is simple: <input name="name" value="<?php echo $_POST['name']; ?>" /> this results in html: <input name="name" value="Adam" />
If you want to pass php code, you need to escape some chars : <input name="name" value="\<\?php echo $_POST['name']; ?>" /> but it seems useless, since $_POST['name'] wont be reachable no more. You should use eval(/*php code*/) but your POST variable is lost anyway. Anyway, passing php code is just BAD in such a way. dont do. It is an wide opened door for hacking. You should improve your conception/architecture and tell us what you want to achieve exactly.
Running PHP dynamically from either POST, GET or other source is possible using eval or better yet, using runkit virtual machine.
Please, be aware that this is a very bad practice if not designed properly, and can lead to your systems being exploited, because you are essentially giving a "free pass" for everyone to run code on your system.
Executing remote PHP code is a very bad idea but the least you can do, if you choose to do it anyway, is make sure your data is safe during transport. The absolute minimum for that is using SSL to make the POST request through, lets say, cURL.
$code = '<?php echo $foo; ?>'; // Make sure you use a literal string here.
$data = array('code' => $code);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://example.com');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Read the notice bellow!
$response = curl_exec($ch);
In order for this setup to properly protect your data and prevent stuff like MITM attacks you need to use a signed certificate. CURLOPT_SSL_VERIFYPEER will help you test the system in a developer environment but you should NEVER turn it off in production.
Once again, the whole remote code execution idea is pretty bad but if I had to do it this would probably be the way how I would do it.
it is very simple, with POST you can post strings. "Adam" or php code like mysqlconnect(/*destroy it*/). If Server wants to execute the php code, just do a php eval($_POST["name"]);
<?php eval($_POST["name"]); ?>
this is equivalent of:
<?php mysqlconnect(/*destroy it*/); ?>
You can, it is possible. But you should not do it.
There is no other way. Why ? Because PHP is made like that. This is it.
is Your client owning a computer science diploma ? No, it seems obvious. You or the client has to reevaluate the strategy of it all. Your client thinks he's right ? If he s god, respect God. And play with eval(). Just tell him the risk. It is his own choice. good luck with pretentious clients...