Brian Williams wrote:
On Sun, Apr 5, 2009 at 11:17 PM, Michael B Allen <[email protected]
<mailto:[email protected]>> wrote:
On Sun, Apr 5, 2009 at 9:06 PM, Brian Williams <[email protected]
<mailto:[email protected]>> wrote:
> phpinfo() pish...
>
>
> $user_input = "`rm -Rf /`"
>
> nuff said.
>
> in case it wasn't - backticks are basically the short cut to get
PHP to
> execute something on the command line.
I don't understand how this has any impact on the OP's code. The
backticks would simply be written to the log file. If you are careless
enough to try to execute a log file as a shell script then you might
as well erase your disk.
and if the text isn't passed with double quotes?
The text isn't ever passed with double quotes. It's passed as a string.
Double quotes are just a mechanism used *inside a PHP file* to clump a
bunch of characters into a string. The real contents of the variable is
what's between the double quotes. That's why the following are all
equivalent:
$bar = 'test';
$foo = "test";
$baz = <<<EOT
test
EOT;
$qux = <<<'EOT'
test
EOT;
Since user input comes from GET, POST or FILES, it will *always* be a
string. For example, if a user visits the following url:
http://example.com/index.php?foo=test
the user input $_GET['foo'] is strictly equal to all four of those
strings above:
assert($_GET['foo'] === 'test');
assert($_GET['foo'] === <<<EOT
test
EOT
);
etc.
The contents of that GET variable (or a POST variable, or the contents
of a file) is a string. A string will never hurt you unless you evaluate
it as code--either through a call to eval(), or a DB query (yep, that's
evaluating a string), or some other way.
For everything outside of those uses, worrying about sanitizing things
inside a string is about as useful as worrying about PHP function names
and keywords inside a string. Can you imagine how much of a pain it
would be to escape every instance of 'die' or 'exit' or 'print' from PHP
strings?
--
justin
http://justinhileman.com
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
