PHP GET variable array injection
Solution 1
PHP will parse the query string, and inject those values in the $_GET
super-global array (same for $_POST
if this was done in a form using POST, btw).
In your case, the $_GET
array will contain this :
array
'a' =>
array
0 => string 'asd' (length=3)
1 => string 'asdasd' (length=6)
'b' =>
array
0 => string '$a' (length=2)
Each value passed in the query string will be put by PHP in the $_GET
array, creating sub-arrays if necessary, when there are []
used in the query string.
But this doesn't cause any kind of "code execution" : as long as you deal with input properly (i.e. don't trust the input and use eval
on it, or any kind of bad idea like this), there is no risk of code-injection.
Solution 2
echo $_GET['a'][0]; //prints "asd"
echo $_GET['a'][1]; //prints "asdasd"
echo $_GET['b'][0]; //prints "$a"
Solution 3
Long story short: no code execution. Otherwise, don't you think somebody would have hacked Facebook already? :)
I think the person who told you that was confused about some other bugs that used deep array nesting to trigger a buffer overflow/double free/some other hack vector, that could theorically be used to execute some code. Those are software bugs as you can see everyday in many popular software. They usually get patched quickly.
You might find more info at http://www.suspekt.org/
Solution 4
I think he is talking about something evaluating differently when passed an array
strcasecmp( $_GET['password'], $password ) == 0 )
{
echo($secret);
}
`
If you pass an empty array into strcasecmp it will evaluate to true for whatever reason.
IE: index.php?password=[]
Solution 5
It seems like you misunderstood something.
The above example simply creates an array like
Array (
[a] => Array (
[0] => asd
[1] => asdasd
)
[b] => Array ( [0] => $a )
)
This is documented and works exactly as intended.
dave
Updated on September 14, 2020Comments
-
dave almost 4 years
I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution?
.php?a[]=asd&a[]=asdasd&b[]=$a
That was the example I was given. I have no idea how it works and was wondering if this is even possible?