3

Before going live with my website, i made some thoughts about security:

This question is about understanding the Processing in PHP and not strives for a solution in securing the form.

Consider this barebone script which is completely insecure against xss and sql injections if provided.

<?
if ($_POST['submit']=="1"){

    $input = $_POST['input'];
    echo "echo the input: ".$input."<br/>";
}
?>
<form action="<? $PHP_SELF;?>" method="POST">
<input type="text" name="input" value="<? echo $_POST['input'];?>"/>
<input type="hidden" name="submit" value="1"/>
<input type="submit" value="submit"/>
</form>

i am wondering why such an injection like this does not work (in the field input):

";unset('index.php');

i am naively thinking the "; would end the echo and than proceed with the code. Actually i am very happy this does not work but i would like to know why. In SQL kind of this would actuall work ' OR 1'.

i know to secure this with addslashes or htmlspecialchars but this is not the question. I want to gain an inside of how php works in processing this.

thanks

Email
  • 2,395
  • 3
  • 35
  • 63
  • Regarding your own aside: Be careful with any string_munging functions such as `addslashes()`, `mysql_real_escape_string()` and `htmlspecialchars()` they only give you the protection you desire in select places and under certain circumstances. See http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-inje/110576 – Cheekysoft Jan 09 '12 at 09:55

2 Answers2

1

It would work if you put it through eval(), but otherwise it's just a string like any other.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • so you mean if i write in the processing the eval() or if someone injects with eval ";eval(unset('index.php')); . i guess the first, which pleases me cause i never used eval before. – Email Jan 09 '12 at 06:32
  • @Email NO, if you send `eval(unset($var))` you are STILL sending a **string** , a literal string. Eval() has to _evaluate_ the string provided in order to make it a php executable code; if there's no eval() in your code, you're safe against _that problem_ – Damien Pirsy Jan 09 '12 at 06:33
1

The content of $_POST array elements are strings. So, whenever you submit ";unset('index.php');" (btw, doesn't unset work on variables?) you actually send that as a string, not as PHP executable code.

Unless you're using eval(), you don't need to fear about php code being evaluated.

Another thing, don't use addslashes() to secure queries, but use your library's dedicated function, such as mysql_real_escape_string() for mysql. Or better use query bindings with prepared statements and parametrized queries.

Damien Pirsy
  • 25,319
  • 8
  • 70
  • 77
  • hi. yes but against xss wouldn't i use htmlspecialchars? or is that obsolet if i use POST instead of GET? – Email Jan 09 '12 at 06:38
  • No, htmlspecialchars() or htmlentities() are indeed what you use against XSS (both for $_POST and $_GET and $_COOKIE. For everything, actually). I was talking about securing DB queries, I thought you referred to that when talking about addslashes() – Damien Pirsy Jan 09 '12 at 06:39
  • i mark this as answer cause it explains more the reasons. thx 2 kolink too . – Email Jan 09 '12 at 06:48
  • i was going to do that :P Damien if we are only using echo is it still dangerous ? or its wodul be only dangerous if we use eval ? – whd Feb 28 '13 at 17:35