PHP is Syntax wired behavior

Question

Today , i've seen some wiered syntax of PHP .

$x="{${phpinfo()}}";

Try to execute the above code and Bammm you will see the phpinfo() is getting executed , My eye brows got raised. however i've declared $x variable as string.

Look this vulnerability PHP code found in the Ebay. I am wondering how this got executed.

http://www.secalert.net/2013/12/13/ebay-remote-code-execution/

Why? Why are you doing this? What are you trying to achieve? — itsols, Dec 25 '13 at 12:30
http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing.complex — Fabrício Matté, Dec 25 '13 at 12:33
You will get Notice: Undefined variable, because phpinfo() does not return anything. — Astery, Dec 25 '13 at 12:36

score 4 · Answer 1 · answered Dec 25 '13 at 12:30

4

It's not weird. It's how that's intended to be. phpinfo() will output data in any case. If you want to capture it's output, then use ob_ (output buffering) functions:

ob_start();
phpinfo();
$data = ob_get_contents();
ob_end_clean();
//var_dump($data);

Your problem isn't related to syntax.

answered Dec 25 '13 at 12:30

Alma Do

37,009
9
76
105

You're right , this isn't wired. But have a look at this vulnerability. I've updated the question – user3134488 Dec 25 '13 at 13:17

score 0 · Answer 2 · answered Dec 25 '13 at 12:30

PHPinfo is a function that returns information in HTML form about the PHP environment on your server (see http://us2.php.net/phpinfo for more information). To run PHPinfo, you must save the following code in a file on your computer using the text editor:

phpinfo ();

PHP is Syntax wired behavior

2 Answers2