How to clear previously echoed items in PHP


How to clear previously echoed items in PHP



In php, is there any way to clear/remove all previously echoed or printed items?

For example:

<?php  echo 'a'; print 'b';  // some statement that removes all printed/echoed items  echo 'c';  // the final output should be equal to 'c', not 'abc'  ?> 

My script uses the include function. The included files are not supposed to echo anything. Just in case someone (ex = hacker) tries, I need a way to remove.




Hijacking connection string with network packet analyzer

1:



MSMQ Access Denied
<?php  ob_start(); echo 'a'; print 'b';  // some statement that removes all printed/echoed items ob_end_clean();  echo 'c';  // the final output is equal to 'c', not 'abc'  ?> 
Output buffering functions.
GWT and Authentication
The output buffering functions are also useful in hackery to coerce functions that only print to return strings, ie..
password / trade secret algorithms : Are they safe in php files?
<?php ob_start(); var_dump($myVar); $data = ob_get_clean(); // do whatever with $data ?> 


Automating the generation of Java policy files


Compact framework calling webservice using encryption

2:



Detecting forms authentication timeout in login page
while @monoxide is right, its better to find more intuitive ways of doing the same.


When does the .NET CLR evaluate security attributes?
e.g.:.
<?php $val_to_print = $a; if( $need_to_change==true )      $val_to_print = $b; // when you are sure you won't have to change again... 

echo $val_to_print; ?>
Cheers,. jrh.


3:


Ideally, you shouldn't output anything that you don't ultimately want printed.

Keep your logic separate from your presentation for less frustration.. That being said, you can consult the Output Buffering options within PHP..


4:


If it is debug output and program status information you are worried about maybe trigger_error may be nearer to what you need, such as:.
trigger_error ("Attempting to load report #{$report_id}.", E_USER_NOTICE); 
When your script is in production it wont show up any errors as generally they are disabled or logged.

It's also best to do fatal errors this way with E_USER_ERROR rather than using die ()..
ob_start (); require ($filename); $html = ob_get_clean (); 
The above will also include a file and give you its contents as a string.. Caveat: Ditching the buffer will also ditch any error messages thrown up, making debugging (potentially) a nightmare..


5:


If a hacker let's say has access to your PHP file, he will also be able to remove the statement clearing the output buffer.. If you are doing this because you are letting your users upload PHP scripts, let me tell you that this is an extremely bad idea.. In both cases, doing what you are asking for adds 0 security..



82 out of 100 based on 42 user ratings 592 reviews