-5

I'm learning how to save my project from attackers, so I have a question.

I have a form with username and password fields that are passed through to a PHP script.

The received array is like this: Array([username] => X, [password] => Y)

Can an attacker escape this array to inject arbitrary PHP code into my script?

If yes, then how he is doing that and how I can counteract?

Question Attachment

Thanks for your help.

user7104700
  • 3
  • 3
  • 2
    Escape __what__? Write a script and put it __where__? – u_mulder Nov 03 '16 at 20:37
  • 1
    What do you mean by _"get saved in the array"_? Are you talking about posting a form, or where do you "echo" that array? Your question as waaay to unclear to be answered... write the _specifics_ about your app and show us the code you're worried about.. – M. Eriksson Nov 03 '16 at 20:37
  • @u_mulder In the php file where this array got given out. – user7104700 Nov 03 '16 at 20:38
  • @Magnus Eriksson Take a look at the Question Attachment. Both strings that are saved coming from an html form, so you can feel free typing anything in there. – user7104700 Nov 03 '16 at 20:40
  • That's just an ordinary array!? It doesn't tell us **anything** about your application. It's what you **do** with it in your code that matters, and you haven't showed us **anything** about that... – M. Eriksson Nov 03 '16 at 20:44
  • That is the sense, do you have an idea how to get out these string and execute an php function? Like ") ?> – user7104700 Nov 03 '16 at 20:47
  • Are you asking us to write a tutorial about the basics of PHP? SO is for _specific_ programming questions. There are literally thousands and thousands of PHP tutorials out there.. use [Google](https://www.google.com) and [php.net](http://php.net). SO is not for tutorials.. – M. Eriksson Nov 03 '16 at 20:49

1 Answers1

0

An attacker cannot "escape" a PHP array, because the contents of the array are not executed as code. It may contain a string of PHP, but that string is not executed.

What may be insecure is how your PHP code handles the user input later on.

If you are outputting the data without sanitising it, the user could put in any javascript code that would then appear on your site (For more info look up cross-site scripting or XSS). To prevent this in PHP check out this question.

Alternatively, if you are putting the data into a database without escaping it, the user could enter their own SQL commands (for more info look up SQL Injection). To prevent this in PHP, use something like PDO with prepared statements.

Community
  • 1
  • 1
MC-Squared
  • 88
  • 1
  • 4