0

I need to handle untrusted input that will be written into a file that is executed by the server, config.php, like this:

$config['key'] = "Value";

I want to make it so that the user can submit a form which will write config.php. It obviously makes more sense to store this value in a database, but I cannot do that because this is a legacy system.

I found the functions addslashes and serialize, but I'm not sure if they are safe for this use case. I also could use hex2bin/bin2hex I suppose.

Another hack I thought of was using HEREDOCs:

$x = <<<PASSWORD

untrusted input here" echo "BOOM!";

PASSWORD;

What is the best way to proceed in this situation if you cannot change how configuration variables are stored?

Improve this question
3
  • php.net/manual/en/function.filter-var.php & php.net/manual/en/filter.filters.sanitize.php Commented Oct 24, 2013 at 23:37
  • var_export would be fine for this purpose. Commented Oct 25, 2013 at 0:37
  • It's a bad idea to store run-time writable config in a PHP file. Even if your PHP-syntax-output is completely correct, you still have to give the web user run-time write access to executable files, which means any file-upload vulnerability will escalate to an execute-arbitrary-code vulnerability. If you can't store to a database, at least store to a flat non-executable file (eg text or JSON) which can be read from PHP. Commented Oct 25, 2013 at 10:48

1 Answer 1

Reset to default
1

Base64 the content. Anything base64'ed can't possibly be valid PHP code

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.