function f($reponse, $nbs_ennonce)
{
echo "Nombres de l'ennonce :{$nbs_ennonce}<br />";
echo "<br />";
echo "Reponse fournie : \"{$reponse}\"<br />";
$formules_simples = f1($reponse);
echo "<br />";
$id_answer = insert_answer($reponse);
echo "Formule(s) simple(s) detectee(s) : <br />";
print_r($formules_simples);
echo "<br />";
echo "<br />";
foreach ($formules_simples as $formule_simple) {
echo "Formule : {$formule_simple['0']}<br />";
// Operation type
$type_d_operation = f2_1($formule_simple[0]);
echo "Type d'operation : ";
print_tdo($type_d_operation);
echo "<br />";
// Resolution type
preg_match_all("/\\d+/", $formule_simple[0], $nbs_reponse);
$type_de_resolution = f2_3($nbs_ennonce, $nbs_reponse[0], $type_d_operation);
echo "Type de resolution : ";
print_tdr($type_de_resolution);
echo "<br />";
// Calculation error
$calcul_error = f2_2($nbs_reponse[0], $type_d_operation, $type_de_resolution);
if ($calcul_error != 0) {
echo "Contient une erreur de calcul de {$calcul_error}.<br />";
}
echo "<br />";
insert_formula($id_answer, $formule_simple[0], $type_d_operation, $type_de_resolution, $calcul_error);
}
}
function f2($b)
{
$b = trim($b);
$b = f3($b);
// secured{xss}{f2::$b}
f1($b);
}
function main()
{
f1();
f2();
f3();
f4();
f5();
f6();
f7();
f8();
}
/*
+-------------------------------------------------------------+
| Copyright (c) 2014 Facebook, Inc. (http://www.facebook.com) |
+-------------------------------------------------------------+
*/
error_reporting(-1);
///*
function f1()
{
echo "Inside function " . __FUNCTION__ . "\n";
}
f1();
// implicitly in current namespace
namespace\f1();
// explicitly in current namespace
\f1();
// explicitly in top-level scope
//*/
/*
namespace NS1;
function f2()
{
echo "Inside function " . __FUNCTION__ . "\n";
}
f2(); // implicitly in current namespace
namespace\f2(); // explicitly in current namespace
\NS1\f2(); // explicitly in given namespace
//NS1\f2(); // looking for relative name NS1\NS1\f2(), which doesn't exist
{
$argList = func_get_args();
echo "f1: # arguments passed is " . count($argList) . "\n";
foreach ($argList as $k => $e) {
echo "\targ[{$k}] = >{$e}<\n";
}
echo "\$p1: {$p1}, \$p2: {$p2}, \$p3: {$p3}, \$p4: {$p4}, \$p5: {$p5}, \$p6: {$p6}\n";
}
f1();
f1(20);
f1(10, TRUE);
f1(NULL, 12, 1.234);
f1(FALSE, 1200.0, [99, -99], "abc");
f1(9, 8, 7, 6, 5);
f1(10, 20, 30, 40, 50, 60);
f1(1, 2, 3, 4, 5, 6, 7);
//*/
///*
// 2 default followed by one non-default; unusual, but permitted
function f2($p1 = 100, $p2 = 1.23, $p3)
{
$argList = func_get_args();
echo "f2: # arguments passed is " . count($argList) . "\n";
foreach ($argList as $k => $e) {
echo "\targ[{$k}] = >{$e}<\n";
}
echo "\$p1: " . ($p1 == NULL ? "NULL" : $p1) . ", \$p2: " . ($p2 == NULL ? "NULL" : $p2) . ", \$p3: " . ($p3 == NULL ? "NULL" : $p3) . "\n";
}
f2();
f2(10);
f2(10, 20);
<?php
function f0()
{
}
function f1()
{
}
switch ($func) {
case "f1":
f1();
break;
default:
f0();
break;
}
$val *= 2;
}
var_dump($arr);
// [1]=> &int(44) [2]=> &int(48)
/*
* formal_parameter ::= IDENT? '&'? VARIABLE static_scalar?
*
* Note that the global keyword overrides the & in function f3.
*/
$x = 2;
function f1($par)
{
var_dump($par);
$par *= 2;
}
f1($x);
// int(2)
var_dump($x);
// int(2)
function f2(&$par)
{
var_dump($par);
$par *= 2;
}
f2($x);
// int(2)
var_dump($x);
// int(4)
function f3(&$par)
{
global $par;
}
}
class Test2 implements IfaceInvoke
{
public function __invoke($x)
{
var_dump(__CLASS__);
var_dump($x);
}
}
function f1($x, $y)
{
$x($y);
$x->__invoke($y);
}
function f2(A $x, $y)
{
$x($y);
$x->__invoke($y);
}
function f3(IfaceInvoke $x, $y)
{
$x($y);
$x->__invoke($y);
}
$t1 = new Test1();
$t2 = new Test2();
f1($t1, 1);
f1($t2, 2);
f2($t1, 1);
f3($t2, 2);
<?php
function f1()
{
$i = 0;
$foo = array(1, 2, 3, 4);
foreach ($foo as $key => &$val) {
(yield null);
echo "key={$key} val={$val}\n";
if ($val == 2) {
$foo[$key] = 0;
} else {
if ($val == 3) {
unset($foo[$key]);
} else {
$val++;
}
}
++$i;
if ($i >= 20) {
break;
}
}
var_dump($foo);
}
foreach (f1() as $_) {
}
$row = $db->fetch();
echo "f1 fetch\n";
(yield $row);
}
function f2()
{
$db = new db();
$obj = $db->async_query('select sleep(1)');
echo "f2 async_query\n";
(yield $obj);
$row = $db->fetch();
echo "f2 fetch\n";
(yield $row);
}
$start = microtime();
$gen1 = f1();
$gen2 = f2();
$gen1->current();
$gen2->current();
$gen1->next();
$gen2->next();
$ret1 = $gen1->current();
$ret2 = $gen2->current();
var_dump($ret1);
var_dump($ret2);
$end = microtime();
echo "Total time: ", $end - $start;
class db
{
static $links;
private $obj;
var_dump($c1 instanceof $clName);
// FALSE; can be a string
var_dump($c2 instanceof $c2b);
//
var_dump($d instanceof $c1);
//
var_dump($c1 instanceof $d);
//
echo "--------------------\n";
function f1()
{
return new D();
}
var_dump(f1() instanceof C1);
var_dump(f1() instanceof C2);
var_dump(f1() instanceof D);
echo "--------------------\n";
var_dump($c2 instanceof C1);
var_dump($c2 instanceof C2);
var_dump($c2 instanceof d);
echo "--------------------\n";
var_dump($d instanceof C1);
var_dump($d instanceof C2);
var_dump($d instanceof d);
echo "------- Interfaces -------------\n";
// test using a series of interfaces
interface I1
{
}
interface I2
{
/*
+-------------------------------------------------------------+
| Copyright (c) 2015 Facebook, Inc. (http://www.facebook.com) |
+-------------------------------------------------------------+
*/
error_reporting(-1);
echo "--------------- test type hint array ---------------------\n";
function f1(array $p1)
{
echo "Inside " . __METHOD__ . "\n";
var_dump($p1);
}
// f1(); // Argument 1 passed to f1() must be of the type array, none given
// f1(123); // Argument 1 passed to f1() must be of the type array, integer given
f1([10, 20]);
echo "--------------- test type hint class-name ---------------------\n";
class C1
{
}
class D1 extends C1
{
}
function f2(C1 $p1)
{
echo "Inside " . __METHOD__ . "\n";
var_dump($p1);
}
//f2(123); // Argument 1 passed to f1() must be an instance of C1, integer give
//f2([10,20]); // Argument 1 passed to f2() must be an instance of C1, array given
f2(new C1());
echo 'f(10, 12) + g(15) = ' . (f(10, 12) + g(15)) . "\n";
echo 'f(10, 12) - g(15) = ' . (f(10, 12) - g(15)) . "\n";
echo 'f(10, 12) * g(15) = ' . f(10, 12) * g(15) . "\n";
echo 'f(10, 12) / g(15) = ' . f(10, 12) / g(15) . "\n";
function f1($a)
{
echo "Inside f1\n";
return $a;
}
function f2($a)
{
echo "Inside f2\n";
return $a;
}
function f3($a)
{
echo "Inside f3\n";
return $a;
}
function f4($a)
{
echo "Inside f4\n";
return $a;
}
$values = array(0, 1, 2, 3, 4, 5, 6);
var_dump($values);
$values[f1(4) - f2(2)] = $values[f3(3) * f4(2)];
var_dump($values);
$values = array(0, 1, 2, 3, 4, 5, 6);
$values[f1(1) + f2(2)] = $values[f3(6) / f4(3)];
var_dump($values);
{
$v86 = array($var => $id);
$array = array_merge($array, $v86);
}
if ($_SERVER['PHP_SELF']) {
$v58 = FALSE;
$v108 = strtolower(@$_SERVER["HTTP_USER_AGENT"]);
} else {
$v58 = TRUE;
if ($v103) {
$_REQUEST = array();
$v78 = get_defined_vars();
$v0 = explode("&", $v78['argv'][0]);
for ($i = 0; $i < sizeof($v0); $i++) {
$v1 = explode("=", $v0[$i]);
f1($_REQUEST, $v1[1], $v1[0]);
}
} else {
$v78 = get_defined_vars();
$_REQUEST = $v78;
}
$v108 = strtolower(@$_REQUEST["HTTP_USER_AGENT"]);
}
if ($v58) {
$v70 = $HTTP_SERVER_VARS['PHP_SELF'];
} else {
$v70 = $_SERVER['PHP_SELF'];
}
$v22 = explode("/", $v70);
$myWimpyPHPfilename = array_pop($v22);
$v69 = implode("/", $v22);
<?php
function f1($x)
{
if (count($x) > 0) {
var_dump($x);
} else {
if (count($x[0]) > 0) {
var_dump($x[0]);
}
}
}
f1(array(array(0, 1, 2)));
f1('abc');
function id($x)
{
return $x;
}
function f2($x)
{
if ($x[0]) {
var_dump(id($x), $x[0]);
}
}
f2(null);
f2(array());
f2(array(10));
function f3($x)
{
var_dump($x[0] . '/' . $x[1]);
var_dump($x[0] . '/' . $x[1]);
if (!empty($string)) {
$explode = explode($f, $string);
if (count($explode) > 1) {
return 'y';
} else {
return 'n';
}
} else {
return 'n';
}
}
$sql_orders = mysql_query("SELECT * FROM orders ORDER by visit DESC");
if (mysql_num_rows($sql_orders) > 0) {
$orders = mysql_fetch_array($sql_orders);
$codes = '';
$name = '';
$phone = '';
$emails = '';
$ids = '';
$dates = '';
$prices = '';
$pay = '';
$face = '';
$products = '';
$avl = '';
do {
if (f1($avl, $orders[phone]) !== 'y') {
$avl .= '"' . $orders[phone] . '",';
}
if (f1($avl, $orders[code]) !== 'y') {
$avl .= '"' . $orders[code] . '",';
echo "----------------- value argument passing of value types ----------------------\n";
function f1($b)
{
echo "\tInside function " . __FUNCTION__ . ", \$b is {$b}\n";
$b = "abc";
echo "After '\$b = \"abc\"', \$b is {$b}\n";
}
$a = 123;
echo "After '\$a = 123', \$a is {$a}\n";
f1($a);
echo "After 'f1(\$a)', \$a is {$a}\n";
f1($a + 2);
// non-lvalue
f1(999);
// non-lvalue
f1(CON);
// non-lvalue
echo "Done\n";
//*/
///*
echo "----------------- byRef argument passing of value types ----------------------\n";
function g1(&$b)
{
echo "\tInside function " . __FUNCTION__ . ", \$b is {$b}\n";
$b = "abc";
echo "After '\$b = \"abc\"', \$b is {$b}\n";
}
$a = 123;
echo "After '\$a = 123', \$a is {$a}\n";
g1($a);
echo "After 'g1(\$a)', \$a is {$a}\n";
$img .= '"' . $camp[img] . '",';
$sql_price = mysql_query("SELECT * FROM `price` WHERE `camp`='{$camp['id']}'");
if (mysql_num_rows($sql_price) > 0) {
$tmp1 = "";
$tmp2 = "";
$prices = mysql_fetch_array($sql_price);
do {
$tmp1 .= " " . $prices[price] . " /";
$tmp2 .= " " . $prices[dates] . " /";
} while ($prices = mysql_fetch_array($sql_price));
$tmp1 = mb_substr($tmp1, 1, mb_strlen($tmp1, "UTF-8") - 3, "UTF-8");
$tmp2 = mb_substr($tmp2, 1, mb_strlen($tmp2, "UTF-8") - 3, "UTF-8");
if (f1($avl, $tmp1) !== 'y') {
$avl .= '"' . $tmp1 . '",';
}
if (f1($avl, $tmp2) !== 'y') {
$avl .= '"' . $tmp2 . '",';
}
$price .= '"' . $tmp1 . '",';
$smena .= '"' . $tmp2 . '",';
} else {
$price .= '"",';
$smena .= '"",';
}
} while ($camp = mysql_fetch_array($sql_camp));
$img = mb_substr($img, 0, mb_strlen($img, "UTF-8") - 1, "UTF-8");
$price = mb_substr($price, 0, mb_strlen($price, "UTF-8") - 1, "UTF-8");
$smena = mb_substr($smena, 0, mb_strlen($smena, "UTF-8") - 1, "UTF-8");
$titles = mb_substr($titles, 0, mb_strlen($titles, "UTF-8") - 1, "UTF-8");
$ids = mb_substr($ids, 0, mb_strlen($ids, "UTF-8") - 1, "UTF-8");
?>
{
public static function a($a, $aa)
{
$c = array($aa => $a, 'abcd' => $aa + $a);
witness_dump('abcdefg');
$d = $aa - $a;
return $c;
}
}
function f1($a, $b)
{
$d = c1::a(5, $a + $b);
$a = $a + $d['abcd'];
echo f2($a + $b, $a * $b) . "\n";
}
function f2($a, $b)
{
echo $a * $b . "\n";
return json_encode(c1::a($a, $b));
}
function ff()
{
witness_start('abc');
return 1;
}
echo "abc\n";
ff();
echo f1(5, 6) . "\n";
echo "123\n";
f1(5, 10);
label2:
echo "At label2 inside function " . __FUNCTION__ . "\n";
if ($p) {
$p = !$p;
goto label2;
// can jump out of a block
}
// goto label1; // can't jump out of a function
goto label3;
label3:
echo "At label3\n";
// label2:; // 'label2' already defined in this scope
label1:
// OK; defined in outer scope
}
f1(TRUE);
labelA:
echo "At labelA\n";
$v = !$v;
if ($v) {
goto labelA;
}
echo "------------------- switch/case labels ---------------------\n";
$a = 10;
$b = 20;
switch ($a) {
case 0:
echo "Case 0 outer\n";
break;
case 10:
echo "Case 10 outer\n";
<?php
/*
+-------------------------------------------------------------+
| Copyright (c) 2014 Facebook, Inc. (http://www.facebook.com) |
+-------------------------------------------------------------+
*/
error_reporting(-1);
include_once 'TestInc.inc';
// get access to \NS1\f2()
function f1()
{
echo "Inside function " . __FUNCTION__ . "\n";
}
f1();
\f1();
namespace\f1();
$v = 'f1';
$v();
$v = '\\f1';
$v();
//'f1'(); // can't be a literal
$v = '\\NS1\\f2';
$v();
//'\\NS1\\f2'(); // can't be a literal
function f2($b)
{
f1($b);
}
function f1($b)
{
echo "\tInside function " . __FUNCTION__ . ", \$b is {$b}\n";
$b->move(4, 6);
// moving $b also moves $a
echo "After '\$b->move(4, 6)', \$b is {$b}\n";
$b = new Point(5, 7);
// removes second alias from first point;
// then create first alias to second new point
echo "After 'new Point(5, 7)', \$b is {$b}\n";
}
// $b goes away, remove the only alias from second point, so destructor runs
$a = new Point(1, 3);
// create first new point, and make $a an alias to it
echo "After '\$a = new Point(1, 3)', \$a is {$a}\n";
f1($a);
// $a's point value is changed, but $a still aliases first point
echo "After 'f1(\$a)', \$a is {$a}\n";
unset($a);
// remove only alias from first point, so destructor runs
echo "Done\n";
//*/
///*
echo "----------------- byRef argument passing of handle types ----------------------\n";
function g1(&$b)
{
echo "\tInside function " . __FUNCTION__ . ", \$b is {$b}\n";
$b->move(4, 6);
// moving $b also moves $a
echo "After '\$b->move(4, 6)', \$b is {$b}\n";
$b = new Point(5, 7);
<?php
function id($x)
{
return $x;
}
function f1($x)
{
$z = id($x[0]);
foreach ($x[0] as $a) {
$z[] = array(id($z), count($x[0]));
}
}
f1(array(array(0, 1, 2, 3)));
function f2($x)
{
var_dump($x[0]);
$y = 'foo' . $x[0] . 'bar';
}
f2('foobar');
function f3($x)
{
$x = is_string($x[0]) ? $x[0] : get_class($x[0]);
return $x;
}
var_dump(f3('abc'));
var_dump(f3(array(new stdClass())));
<?php
$a = $_GET['a'];
function f1($b)
{
global $a;
## test for globals working properly no 2
echo $a;
}
f1(2);
#
<?php
function f2($b)
{
echo $b;
}
function f1($c)
{
## this shit doesn't work either
$b = htmlspecialchars($c);
return $b;
}
$A = $_POST['a'];
$A = f1($A);
f2($A);
function f2($b)
{
$b = trim($b);
f1($b);
}
<?php
$a = f1($_GET['a']);
# $undefined_call{$_GET['a']}=(2,f1::1,); ## no mapped_to_vline since it's unknown
# when function definition is discovered, we search the unknown calls hash for its name
# $undefined_call{f1::1}=(2,$_GET['a'],) ## actually this would be more performant form
## ok, now we find function definition
## where $vline* is curr_local_virtual_line_number for its original namespace (f1 in this case)
# Now, what happens when f1($_GET['a']) is called (how final_call_vulnerable shall be merged):
# $final_call_vulnerable{xss}{$_GET['a']}=
#(
# mapped_from_vline,mapped_to_addr,mapped_to_vline,...
#)
# in this case:
# $final_call_vulnerable{xss}{$_GET['a']}=
# (
# (mapped_from_vline=>9,mapped_to_varaddr=>f1::$a, mapped_to_vline=>2)
# (mapped_from_vline=>9,mapped_to_varaddr=>f1::$a, mapped_to_vline=>4)
# (mapped_from_vline=>11,mapped_to_varaddr=>f1::$a, mapped_to_vline=>2)
# (mapped_from_vline=>11,mapped_to_varaddr=>f1::$a,mapped_to_vline=>4)
# )
#
# $secured{xss}{$_GET['a']}=
# (
# 9,f1::$a,3
# 9,f1::$a,5
# 11
# 12,f1::$a,3
# 12,f1::$a,5
# )
echo $a;
<?php
function f1($a)
{
return htmlspecialchars($a);
## filtering left side permanently
}
$b = f1($_GET['a']);
echo $b;
# NOTHING
echo htmlspecialchars($_GET['a']);
# NOTHING
echo $_GET['a'];
# XSS
var_dump($k, $v);
}
}
function f5($x)
{
switch ($x[0]) {
case 0:
var_dump($x[0]);
}
}
function f6($x, $y, $z)
{
if ($z) {
goto my_clause;
}
if ($y) {
var_dump($y);
} else {
if ($x[0]) {
var_dump($x[0]);
my_clause:
var_dump($x);
}
}
}
f1(array(0, 0));
f2(array(10));
f3(array(10), false);
f4(array(array(1, 2, 3)));
f5(array(false, false));
f6(array(true), false, false);