Search code examples
phpsecuritycode-injection

Is it possible to hack a website which use unfiltered GET parameter this way

Is there a way to execute some code on my website, with the following code:

$a = $_GET['a'];
$b = 'abc' . $a;
$c = $a;

And, let's say, there will be no more usage of $a, $b and $c variables in the code - just an assignment and, for example, concatenation. Is it possible to execute some malicious code in this place? (actually I think the answer is no, because then no sanitation would ever be possible at all).

And how about this one (I'm pretty sure, it is vulnerable, if we put some characters into $a, that will be unescaped to commas during some internal http and php proccessing):

$a = $_GET['a'];
$b = "abc $a";

Sorry, I know, this is the basics and silly question, and I should just use some good sanitizer library and don't worry. But I want to be sure, and start with very basics, and I can't say, that the site is 100% secure while it's not getting hacked, I just can say that it is unsecure when one day it occasionally get hacked.

ADDED: Any example of hacking any of this two scripts would be greatly appreciated, I want to hack my own website, which contains code like posted above, to clearly understand, that "in this place, if you program this way, your site will be vulnerable, so you should program it this (another) way.

Solution

  • And, let's say, there will be no more usage of $a, $b and $c variables in the code - just an assignment and, for example, concatenation. Is it possible to execute some malicious code in this place?

    No. You have to put the data somewhere where it will be treated as code rather than plain data for there to be a vulnerability. (At least in this context since you don't have to worry about buffer overflows).

    And how about this one (I'm pretty sure, it is vulnerable, if we put some characters into $a, that will be unescaped to commas during some internal http and php proccessing):

    Again, no. The URL decoding routines themselves don't have any known vulnerabilities, and you aren't putting the data anywhere that a comma will have any significant meaning. Interpolating a string variable into another string is entirely safe. (You might later do something with the resulting string which is unsafe, but that's out of the scope of your question.).