-2

Possible Duplicate:
Can php variable hold harmfull code safely?

Let's say I have array named $content. The array holds harmfull data.

Is it safe to do the following?

$test = count($content);
echo $test;

Would count() somehow execute the harmfull data?

Community
  • 1
  • 1
user1760417
  • 13
  • 4
  • 1
    What do you consider "harmful data" in an array? – Niko Oct 25 '12 at 07:44
  • any type of possible code, links, html, sql injection etc... – user1760417 Oct 25 '12 at 07:45
  • An array can not contain an SQL injection, your code can. Also the other things you named harmful: code, links, html aren't out of the box, this needs context of the processing of the data. In your example, it does not play any role whatever `$content` is. It will be always safe. But that does not says much. – hakre Oct 25 '12 at 07:48
  • yes sorry, I'm new to stackoverflow, thought that question was already closed because I choose your answer. I had this additional question speficically about count() – user1760417 Oct 25 '12 at 07:49
  • 1
    No, you have not yet understood that you're asking yourself the wrong question in context of security. You can not start to ask each php function and feature you want to make use of if it is safe or not. – hakre Oct 25 '12 at 07:51
  • There is no such thing as unsafe data in an array. It only gets unsafe once you are going to do things with it. – PeeHaa Oct 25 '12 at 07:56
  • According to my current script, I have to use count() on unsanitized array before I can sanitize it. After, the script sanitizes it. Since people here started to talk about "eval", I wasn't sure if count() would pose similar risk. My mistake is that I quickly posted question and did not ask everything I wanted to know, so I apologize about that. – user1760417 Oct 25 '12 at 07:57
  • You are asking for absolution. Nobody here on this website can give it to you. Better would be that you do a code-review for example with a complete example. That is on a different website. – hakre Oct 25 '12 at 08:35

3 Answers3

3

Long story short: no worries.

Short story long:

Count will return an int, and should not execute anything. It's not a really complicated function, so I doubt it could even have such a bug, but the facts are

  1. it should not execute anything
  2. if it does, this is a bug.
  3. it is never reported as far as I can see that it did.
  4. therefore there is no real reason to think it is a risk.
  5. If you still think it can, you can look up the source code for a check ofcourse
Nanne
  • 64,065
  • 16
  • 119
  • 163
1

As far as I'm aware, you'd have to eval() any code for it to actually be executed in the manner you describe. So no, nothing would get executed.

David John Welsh
  • 1,564
  • 1
  • 14
  • 23
0

It is SAFE to count a PHP unsanitized array.

But don't use it in eval and well sanitize it in your SQL statements in order to prevent SQL injection

Mithun Sreedharan
  • 49,883
  • 70
  • 181
  • 236