0

I have an application where I need to be able to let the users put anything into an input field and am having issues with null bytes. I am passing the data via AJAX to PHP 5.5 and can see it's being passed from the AJAX request correctly, but when I immediately var_dump the $_POST on the PHP side, a string that contained '%00' comes through as ''. As an aside, I'm protecting my database from injection by using query bindings. Also, the user base is exclusively internal to my company. So, I'm not really concerned with the security aspect of it. How can I get PHP to let these null bytes through?

user6041966
  • 195
  • 12
  • What is it coming through as? " "? ""? It got cut off I think. – KM529 Oct 24 '16 at 17:18
  • PHP itself doesn't use nulls to signify end-of-string. It may be C-based, but it's NOT bound by C's own restrictions. That being said, some of PHP's functions are merely wrappers around the underlying C equivalent, and some of THOSE can/will take nulls as an end-of-string. – Marc B Oct 24 '16 at 17:21
  • it is getting passed via AJAX as '%00' and PHP $_POST prints it out as a blank string ''. – user6041966 Oct 24 '16 at 17:38
  • Marc B, the users are not necessarily using the null byte to signify the end of a string. Rather, it could be the entirety of the string itself. – user6041966 Oct 24 '16 at 17:42
  • It's there: `echo urlencode($_POST['var']);` – AbraCadaver Oct 24 '16 at 17:52
  • Hi AbraCadaver, it is not there, even with urlencode. it is coming through as a string with a length of 0. – user6041966 Oct 24 '16 at 17:59
  • Are you running Suhosin or Suhosin Patch? http://stackoverflow.com/questions/3383916/how-to-check-whether-suhosin-is-installed It will strip null bytes. – AbraCadaver Oct 24 '16 at 18:23
  • No, no Suhosin. I've tried it on both PHP 5.5.23 and PHP 5.5.20 and both of them strip out the null byte character before I can do anything with the $_POST. – user6041966 Oct 24 '16 at 18:44

1 Answers1

0

Echoing a null-byte in PHP would indeed result in an empty-looking string, so this makes perfect sense.

echo chr(0); // outputs nothing
Evert
  • 93,428
  • 18
  • 118
  • 189