-2

I was just wondering, whether if php can be injected just like the way mysql can be injected. I have a rough idea of how sql injection is done, and have successfully carried it out in development environment. So I was just wondering if php too could be injected.

Though I myself have a gut feeling that it would not be the case since even if tried it would be more like trying to inject a mysqli prepared statement.

And no! I am not talking about injecting javascript into the input I am talking about plain php-html injection through input/GET/POST . Like stopping the current php code execution and inserting your own code in between.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Mohd Abdul Mujib
  • 13,071
  • 8
  • 64
  • 88
  • 2
    Google "is php vulnerable" and you'll see a whole bunch of links. The short answer is "yes". Here's one find https://en.wikipedia.org/wiki/File_inclusion_vulnerability and another https://www.owasp.org/index.php/PHP_Object_Injection and http://stackoverflow.com/questions/1783137/examples-of-vulnerable-php-code – Funk Forty Niner Aug 25 '15 at 10:48
  • PHP is just a language for serverside web programming. If the data interacting with the server/database is not sanitized, you open up the possibility of injection. – SaggingRufus Aug 25 '15 at 10:49
  • 3
    I always take my PHP intravenously, dont you? Wow feel the buzz man! – RiggsFolly Aug 25 '15 at 10:52
  • 1
    Also: https://www.owasp.org/index.php/Code_Injection and https://www.owasp.org/index.php/Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29 – vhu Aug 25 '15 at 10:52
  • 1
    if you are not using `eval()` I wouldn't worry too much – Daniel Krom Aug 25 '15 at 10:53
  • 1
    @RiggsFolly Coffee's that good huh Smokey? ;-) what're you putting in that anyway? You're not Irish. – Funk Forty Niner Aug 25 '15 at 10:54
  • @RiggsFolly Dude!! :D that joke just killed me . – Mohd Abdul Mujib Aug 25 '15 at 10:55
  • 1
    Pretty much all scripting languages provide for dynamic code evaluation. PHP more than others (X-Ref: [Exploitable PHP functions](http://stackoverflow.com/q/3115559)). Variables and input values *all by themselves* do not. – mario Aug 25 '15 at 10:58
  • possible duplicate of http://stackoverflow.com/questions/1783137/examples-of-vulnerable-php-code – Funk Forty Niner Aug 25 '15 at 11:00
  • @Fred-ii- but that is talking about SQL_injection and not the php vulnerability. – Mohd Abdul Mujib Aug 25 '15 at 11:01
  • @MohdAbdulMujib go through the whole page. Don't tell me you read that within 30 seconds. Mario's link talks about that also. – Funk Forty Niner Aug 25 '15 at 11:02
  • possible duplicate of *too broad* – Funk Forty Niner Aug 25 '15 at 11:03

1 Answers1

2

Yes, this might be possible. If you use eval() or output buffering for generating your output and do not properly escape values stored in the database before you feed it to your template parser, the PHP code within might be executed.

If you use plain PHP in your templates the risk is rather high.

Markus Müller
  • 2,611
  • 1
  • 17
  • 25