0

I'm using JSON to send the javascript script code over to a php script to get packed(encrypted) I'm using Dead Edwrd's PHP Javascript Packer http://joliclic.free.fr/php/javascript-packer/en/index.php The packer works fine but i am facing a weird problem causing the packed results to go wrong.

Here's the original script i want to pack:

<script type='text/javascript'>jwplayer('mediaspace').setup({ 'flashplayer': 'http://www.domain.com/player/player/player.swf', 'file': 'http://doamin.com','image': 'http://www.domain.com/images/background.jpg', 'skin': 'http://www.domain.com/player/skin/glow.zip', 'plugins': 'hd-2,timeslidertooltipplugin-1', 'hd.file': 'http://doamin.com', 'controlbar': 'over', 'stretching': 'exactfit', 'width': '700', 'height': '404' });</script>

I use javascript escape on this script before sending it to my php script

It looks like this after escaped:

%3Cscript%20type%3D%27text/javascript%27%3Ejwplayer%28%27mediaspace%27%29.setup%28%7B%20%27flashplayer%27%3A%20%27http%3A//www.domain.com/player/player.swf%27%2C%20%27file%27%3A%20%27http%3A//domain.com%27%2C%20%20%20%20%20%27image%27%3A%20%27http%3A//www.domain.com/images/background.jpg%27%2C%20%27skin%27%3A%20%27http%3A//www.domain.com/player/skin/glow.zip%27%2C%20%27plugins%27%3A%20%27hd-2%2Ctimeslidertooltipplugin-1%27%2C%20%27hd.file%27%3A%20%27http%3A//domain.com%27%2C%20%27controlbar%27%3A%20%27over%27%2C%20%27stretching%27%3A%20%27exactfit%27%2C%20%27width%27%3A%20%27700%27%2C%20%27height%27%3A%20%27404%27%20%7D%29%3B%3C/script%3E

Then i send this over to my php script using JSON.

PHP script to get the value and packed the script and return the packed script to the javascript:

<?php
$src = $_GET['code'];
$callback = $_GET['callback'];

require 'class.JavaScriptPacker.php';

$packer = new JavaScriptPacker($src, 'Normal', true, false);
$packed = $packer->pack();

$output = array('error'=>'none', 'results'=> $packed , 'source' => $src);
$out_string =  json_encode($output);
echo $callback.'('.$out_string.');';
?>

P/S I have added 'source' to the array , so i can check what exactly php GET.

Now the problem , i don't know why but php is adding backward slashes to the source/$src as shown below:

<script type=\'text/javascript\'>jwplayer(\'mediaspace\').setup({ \'flashplayer\': \'http://www.domain.com/player/player.swf\', \'file\': \'http://domain.com\', \'image\': \'http://www.domain.com/images/ackground.jpg\', \'skin\': \'http://www.domain.com/player/skin/glow.zip\', \'plugins\': \'hd-2,timeslidertooltipplugin-1\', \'hd.file\': \'http://domain.com\', \'controlbar\': \'over\', \'stretching\': \'exactfit\', \'width\': \'700\', \'height\': \'404\' });</script>

This wreck the pack results

Results i wanted:

eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c.toString(a)+'\\b','g'),k[c])}}return p}('<8 g=\'f/e\'>d(\'l\').k({\'j\':\'3://6.5.0/4/4/4.n\',\'7\':\'3://b.0\',\'m\':\'3://6.5.0/i/h.c\',\'9\':\'3://6.5.0/4/9/x.z\',\'o\':\'a-2,w-1\',\'a.7\':\'3://b.0\',\'y\':\'v\',\'u\':\'q\',\'p\':\'r\',\'s\':\'t\'});</8>',36,36,'com|||http|player|domain|www|file|script|skin|hd|doamin|jpg|jwplayer|javascript|text|type|background|images|flashplayer|setup|mediaspace|image|swf|plugins|width|exactfit|700|height|404|stretching|over|timeslidertooltipplugin|glow|controlbar|zip'.split('|')))

BUT the results i got due to the backward slashes(which wreck the script too)

eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('<2 1=\\\'0/3\\\'>4(\\\'7\\\').6({\\\'5\\\':\\\'8:',9,9,'text|type|script|javascript|jwplayer|flashplayer|setup|mediaspace|http'.split('|')))

what am i doing wrong?

Improve this question

3 Answers 3

Reset to default
1

Add this at start of your php script:

if(get_magic_quotes_gpc())
{
    function undo_magic_quotes_array($array)
    {
        return is_array($array) ? array_map('undo_magic_quotes_array', $array) : stripslashes($array));
    }
    $_GET = undo_magic_quotes_array($_GET);
    $_POST = undo_magic_quotes_array($_POST);
    $_COOKIE = undo_magic_quotes_array($_COOKIE);
    $_FILES = undo_magic_quotes_array($_FILES);
    $_REQUEST = undo_magic_quotes_array($_REQUEST);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Use stripslashes instead of your str_replace calls.
stripslashes work with string types, but str_replace work with whole array. With stripslashes it wouldnt work for nested arrays
But you never pass an array to that function - if it's an array, you use array_map which calls your function on every item of the array.
<input type="text" name="fields[form1][username]" value="some ' unescaped value"/> - this would fail, as array_map goes only through 1st-level elements of an array
But then your function is called recursively so array_map will be used again.
|
1

You probably have magic_quotes turned on which automatically adds the backslash to POST, GET and COOKIE variables.

Disable it in php.ini (it's deprecated as of PHP 5.3 and removed in 5.4 anyway) or simply use stripslashes:

$src = $_GET['code'];
if (get_magic_quotes_gpc())  
  $src = stripslashes($src);

Or you can escape all $_GET variables at once:

$_GET = array_map('stripslashes', $_GET);
Improve this answer

Comments

0

It is because of json_encode. You are treating your entire script as if it were a string. Naturally, as a string, it will need \ to escape various characters.

The JSON that would be created here looks something like this:

{
    'error':'none', 
    'results':'eval(...)',
    'source':'...whatever your $src is...'
}

notice that eval(...) and whatever your $src was are now wrapped in quotes. They are strings and various characters must be escaped.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.