The following from a php webpage looks to me like some code which could be exploited.
# Maps a uri like questions/ask/index.php?anything=something to questions/ask/index.php
$path = substr($_SERVER['REQUEST_URI'], 0, strpos($_SERVER['REQUEST_URI'], "?"));
Can one of the following statements be exploited by a an attacker sending php syntax in the request uri? And if so, how do you avoid that?
Variant 1:
header('Location: http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'].'&tag='.$tags);
Variant 2:
<p>...<?php echo $path; ?>... </p>
Echoing PHP code doesn't make it run. For example, try:
<?php
$path = "echo 'hello';";
echo $path;
?>
echo 'hello'; is not going to be run.
For this to be a real vulnerability the app would have to be using eval() or something similar.
The real issue with printing out user input directly is Javascript injection or Cross-site scripting injection, not PHP injection.