0

Let's say I have a text file. It contains "harmfull" code like:

<?php phpinfo(); ?>

or it could be anything else, SQL injection code, html links etc...

Now here is my example script:

$content = file_get_contents('harmfullcode.txt');

Now obviously $content variable will store that harmfull code.

My question is, is it safe to store such information in a variable?

I know for example if I

echo $content;

then it WILL be harmfull.

But if I don't do anything with the variable, is it safe for the variable to hold any type of harmfull code?

Edited to make it more clear:

What is the difference between this?

$content = file_get_contents('harmfullcode.txt');
$safevar = removebadstuff($content);
echo $safevar;

VS

$content = removebadstuff(file_get_contents('harmfullcode.txt'));
echo $content;

the second example removes bad stuff before assigning it to $content...?? I'm kind of new to php security, trying to grasp the concept. Thank you.

user1760417
  • 13
  • 4
  • If you don't output or further process that variable, the question is, why do you read it in in the first place? I assume you *are* processing that variable, and like `echo`, the *kind of processing* is necessary to know to answer your question. What happens with that variable? It's less interesting to know about only two cases that do not happen, but the cases that do happen. – hakre Oct 25 '12 at 06:11
  • I edited to make it more clear. – user1760417 Oct 25 '12 at 06:27
  • The `removebadstuff` function remains undefined. It does not show what you actually do with the data. Also normally, data is properly encoded when *output* because there are different kinds of output. If you cripple the data ("remove bad stuff"), the chance is high that you're doing something wrong. – hakre Oct 25 '12 at 06:29
  • removebadstuff function would use all appropriate measures like trim, magic quoties, stripslashes, htmlentities, mysqlrealescape etc... What I am trying to say in my edited examples is this: in first example the $content variable holds the information without sanitizing, in the second example it sanitizes before it holds the information. is there any difference in my above examples? or do they accomplish the same task? – user1760417 Oct 25 '12 at 06:34
  • They are nearly identical. You might want to `unset` `$content` in the first example as the second example only creates the local variable as the first parameter of `removebadstuff`. BTW: strings in PHP are binary-safe. – hakre Oct 25 '12 at 06:40
  • Thank you! Now that I know, you relieved me from stress and gave me confidence. – user1760417 Oct 25 '12 at 06:48
  • hmm, how do I mark you as answer? – user1760417 Oct 25 '12 at 06:49
  • I added a short answer. Also I put there a link to another question, you should understand about the binary safety. Not that you use the data with some function not binary safe and you then wonder later on. – hakre Oct 25 '12 at 06:55

4 Answers4

0

if will not be printed or eval'd then it's ok to store it in variable as any string variable.

Denis Ermolin
  • 5,530
  • 6
  • 27
  • 44
  • To make it safe I would sanitize $content variable like $safevar = removebadstuff($content); then I would echo $safevar or do other things with it. My question is, is it safe to store harmfull code in a variable before sanitizing it. – user1760417 Oct 25 '12 at 06:12
0

Unless the harmfull code is targeting a vulnerability in file_get_contents() or similar function of PHP itself, then just storing it in a variable should be safe. Outputing it might be unsafe, and running eval on it is most certainly a bad idea.

Simon
  • 3,667
  • 1
  • 35
  • 49
0

It depends on how you treat this variable.

In your example, echo $content; will not be harmfull, it will just show the harmfull code, without execute it.

The harmfull examples:

eval($content);

exec($content); // any System program execution function

//preg_relace with e modifier, this is deperecated

// and so on .....
xdazz
  • 158,678
  • 38
  • 247
  • 274
  • 1
    echo can still inject malicious javascript into a web page.... just because it won't harm the server, but only the client's browser doesn't make it any less harmful – Mark Baker Oct 25 '12 at 06:27
0

hey are nearly identical. You might want to unset $content in the first example as the second example only creates the local variable as the first parameter of removebadstuff.

Keep in mind that strings in PHP are binary-safe.

Required reading: The ultimate clean/secure function

Community
  • 1
  • 1
hakre
  • 193,403
  • 52
  • 435
  • 836
  • oh 1 more question, is it safe to use count() on unsanitized array? – user1760417 Oct 25 '12 at 07:39
  • As with the rest of your question it can not be said if it is safe or not. Sanitzation might actually do harm, so would be unsafe. PHP itself will treat any array as an array regardless of the data it carries. As long as it is an array it is an array. Keep in mind that you're just changing some data, you don't make anything safe or unsafe. The parts where security plays a role is often elsewhere as you suspect it, especially as you're applying the terms pretty broadly. – hakre Oct 25 '12 at 07:41
  • I think you should read this: http://stackoverflow.com/questions/4223980/the-ultimate-clean-secure-function - if you want it safe from the beginning, pull the network cable of your server out. Then PHP is safe. – hakre Oct 25 '12 at 07:45