How does request processing works out from the perspective of a php developer? More than that I'm concerned with e.g. once request is parsed through.htaccess ,mapped to the file and respone is sent back. The mechanism of how this response gets sent back to the client is what I eagerly want to know ? Why? I'm developing a PHP script that needs to know what exactly is coming from the database to the client so that I can alter it in the middle. I cannot tweak the code of the developer as I have to make my script generic enough to work on code that I've never seen before i.e. No tweaking of the exising code. Can I do so in PHP ? Is there something like Global Variable or so to do this or anything else?

For an instance, take any simple login/signup page in PHP. When the user enters incorrect credentials, the page show incorrect username and password, i.e. say the developer is using echo function to achieve this. Now how can I put my script into the middle and expect that echo function to come to me and gets back to client. I' am again repeating, I don't know the code of the developer. The other fact is I can route all the incoming requests to the middle file, but to transfer the request to the actual file, require or include function are of not much good use as they don't allow to send params

3 Years
Discussion Span
Last Post by darne_1

It sounds as if you are trying to do something that may be very difficult if not impossible.You want some sort of control of the process but you have no control of the actual processing code. To see what is being "echo'd" to the user, you could possible have your own module that issues an ob_start to buffer the output and then includes the normal processing module. This would potentially allow you to see the output (and modify it!) before sending it to the user. There are probably situations where this would not work properly; to use this against a production program would require your program to be executed not the actual app; and, it doesn't provide info about what the program is doing (e.g. reading and writing from the DB) unless you are running some sort of trace where you can access the output.

Trying to parse buffered output or a trace file and then do something with that info would be very tricky, especially if you want to make it generic and can't predict what the exact format of the info will be.

You didn't really say why you want to do this but it seems that whatever you are trying to accomplish probably needs to be done some other way.


@chrishea Thank you very much. I'm working on PHP based IDS which in effect not only scans the incoming request which every other IDS does but also scans the output. My concern is if the database is already embedded with the fields that can prove fatal to others say <script>alert(0)</script>, then this probably can't be detected by everyday IDS since they usually don't check the outpue and if they do, then atleast not through PHP but at the core level perhaps C module like modsecurity.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.