Testing PHP form injection

  • I'm writing a very small PHP app that takes input via a form. As could be expected for a first revision, the code does no escaping or sanitisation of input:

    if( $_POST["var"] != "" ) {
        print "Current value: ".$_POST["var"]."\n";
    }
    

    But if I try to inject PHP code ("; print phpinfo();, " etc.) I just get it echoed back to me instead of executing it.

    I'm aware of how to clean the input using htmlspecialchars, addcslashes, mysqli_real_escape_string etc. but before I use them - what syntax do I need to successfully inject arbitrary PHP code?

    I have noticed that my machine has the PHP Suhosin patch installed (Ubuntu 10.10) - would that be auto-escaping/sanitising my input for me?

  • AviD

    AviD Correct answer

    10 years ago

    For that code, I wouldnt expect to get PHP injection, but I'd look at Cross-Site Scripting (XSS) instead.

    For example, try injecting:

    <script> alert('woot Security.SE rulez!');</script>
    

    Confirmed, and fixed with `htmlspecialchars`. After consulting with our guru I'll rework it to a static page so I won't have to worry about it anyway.

    learn much from here.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM