Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP Injection from HTTP GET data used as PHP array key value

Tags:

php

code-injection

i would like to know if there is a possible injection of code (or any other security risk like reading memory blocks that you weren't supposed to etc...) in the following scenario, where unsanitized data from HTTP GET is used in code of PHP as KEY of array.

This supposed to transform letters to their order in alphabet. a to 1, b to 2, c to 3 .... HTTP GET "letter" variable supposed to have values letters, but as you can understand anything can be send to server:

HTML:

http://www.example.com/index.php?letter=[anything in here, as dirty it can gets]

PHP:

$dirty_data = $_GET['letter'];

echo "Your letter's order in alphabet is:".Letter2Number($dirty_data);

function Letter2Number($my_array_key)
{
    $alphabet = array("a" => "1", "b" => "2", "c" => "3");

    // And now we will eventually use HTTP GET unsanitized data
    // as a KEY for a PHP array... Yikes!

    return $alphabet[$my_array_key]; 

}

Questions:

  1. Do you see any security risks?
  2. How can i sanitize HTTP data to be able use them in code as KEY of an array?
  3. How bad is this practice?
like image 605
easy_weezy Avatar asked Sep 07 '11 22:09

easy_weezy

1 Answers

I can't see any problems with this practice. Anything you... errr... get from $_GET is a string. It will not pose any security threat whatsoever unless you call eval() on it. Any string can be used as a PHP array key, and it will have no adverse effects whatsoever (although if you use a really long string, obviously this will impact memory usage).

It's not like SQL, where you are building code to be executed later - your PHP code has already been built and is executing, and the only way you can modify the way in which it executes at runtime is by calling eval() or include()/require().

EDIT

Thinking about it there are a couple of other ways, apart from eval() and include(), that this input could affect the operation of the script, and that is to use the supplied string to dynamically call a function/method, instantiate an object, or in variable variables/properties. So for example:

$userdata = $_GET['userdata'];

$userdata();
// ...or...
$obj->$userdata();
// ...or...
$obj = new $userdata();
// ...or...
$someval = ${'a_var_called_'.$userdata};
// ...or...
$someval = $obj->$userdata;

...would be a very bad idea, if you were to do it with sanitizing $userdata first.

However, for what you are doing, you do not need to worry about it.

like image 117
DaveRandom Avatar answered Sep 28 '22 07:09

DaveRandom
Sign in to Comment

Related questions

PHP file creation/write within destructor
How to cache static content (css, images,js files) in CakePHP2?
using javascript countdown with server side time
php extracting text/plain from mail body
firefox having "#;" in the addressbar
how to convert an HTML template into Cake PHP template
Php: singleton VS full static class? When use what?
PHP date() only from 1970 - 2038
Help with PHP mail() function [duplicate]
PHP-powered GUI Applications for Windows
Advice on writing math equations into code
how to differentiate ajax call and browser request in php (or codeigniter)?
How do you insert multiple records into a table at the same time?
PHP5 database password and can it be stolen?
installing PHP APC extension on windows
google analytics serverside tracking
Implementing a "Did you mean?" feature as used on Amazon and Google
PHP MySQL Search Suggestions
How does one access the URL arguments in codeigniter if one was to follow REST architecture?
calculate product variants based on option groups and options

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!