PHP GET variable array injection

php security arrays get exploit
dave picture dave · Dec 11, 2009 · Viewed 21.3k times · Source

I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution?

.php?a[]=asd&a[]=asdasd&b[]=$a

That was the example I was given. I have no idea how it works and was wondering if this is even possible?

Answer

Pascal MARTIN picture Pascal MARTIN · Dec 11, 2009

PHP will parse the query string, and inject those values in the $_GET super-global array (same for $_POST if this was done in a form using POST, btw).

In your case, the $_GET array will contain this :

array
  'a' => 
    array
      0 => string 'asd' (length=3)
      1 => string 'asdasd' (length=6)
  'b' => 
    array
      0 => string '$a' (length=2)

Each value passed in the query string will be put by PHP in the $_GET array, creating sub-arrays if necessary, when there are [] used in the query string.

But this doesn't cause any kind of "code execution" : as long as you deal with input properly (i.e. don't trust the input and use eval on it, or any kind of bad idea like this), there is no risk of code-injection.

Related questions

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How do you Encrypt and Decrypt a PHP String?

What I mean is: Original String + Salt or Key --> Encrypted String Encrypted String + Salt or Key --> Decrypted (Original String) Maybe something like: "hello world!" + "ABCD1234" --> Encrypt --> "2a2ffa8f13220befbe30819047e23b2…

Read More