2

I haven't found this question on here yet, and I have done some quick Google research on this but I couldn't really find a clear or good answer to this question.

Is it possible to inject a piece of php code in an input field. that would actually work.

//for instance.
//Ill fill in '"test()"' in the field.
<input type="text" name="input" value="'"test()"'">

$injection = $_POST/*(or $_GET)*/['input']; // coming from the input

public function test(){
    echo "injection successful";
}

So is this possible?

Improve this question
1
  • 4
    Only if you evaluate user input as code instead of treating it as text. (Same goes for SQL injections.) Commented May 23, 2014 at 9:56

3 Answers 3

Reset to default
8

It is possible, but not like that. If you do what you do in your script, then the code would just be assigned as-is (as a string) to the variable $injection.

You can however execute it like this:

$injection = $_POST/*(or $_GET)*/['input']; 
eval($injection);

There are other ways as well, but all have the same issue: you must actually evaluate the string as code to execute it. eval is the most obvious solution for that.

But be very careful when you implement this! If you open such a form for the outside world, everybody can execute any script, including ones that might destroy your server or steal your passwords.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The snippet you posted is harmless, but depending on what you do with user-supplied data, it can be used in an code-injection attack. The linked wiki has some examples, here's a couple of them:

$posted = $_POST['user_input'];
eval($posted);//<--- NEVER DO THIS

However, after 10 years, I've never ever even gotten close to the point where I had to even worry about dreaming of having to maybe go down this route.
Another, slightly less unlikely possible vulnerability is impropper escaping when passing user-data to exec:

$cmdArgument = $_POST['flag'];
exec('ls '.$cmdArgument, $return, $status);

Could leave you vulnerable if I passed this as a "flag" value:

-lta && /usr/bin/env php -r 'echo __DIR__;'

And use that input to start messing around with your file-system.
To protect agains this, use the escapeshellarg and escapeshellcmd functions to sanitize the input.

More common, equally dangerous, but easier to overlook, would be this:

$requested = $_GET['page'];
require $requested.'.php';

Instead, if you want to require scripts like this, a safer, and just as easy approach is this:

switch ($_GET['page'])
{
    case 'admin':
        require 'admin.php';
        break;
    case 'user':
        require 'user.php';
        break;
    default:
        require 'error.php';
        break;
}
Improve this answer

Comments

0

The PHP exec command can execute code posted to the server. Otherwise PHP code written in a text box will not be interpereted as PHP but just as a normal string.

Improve this answer

3 Comments

The exec command executes (shell) commands. This can be a script or anything else, but it always refers to something on the server, not to something in the $_POST or $_GET inputs.
@GolezTrol: Look at my answer, it can be dangerous, if you pass it a $_POST or $_GET value contianing &&
I know it can be dangerous, but the question was if was possible (and how). If someone asks you if they can buy a gun, you can tell them 'yes' or 'no', but not just give them a flower instead.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.