I would like to say something quick that is about the eval() function in PHP. If you don't know what PHP is, PHP is a server-side programming language that most web applications use, such as facebook. If you don't know what eval() is and know what PHP is, the eval() function is kind of like embedding a PHP script.
Now, if you are a PHP programmer and plan to use eval() for anything, a warning for you is to not use it to embed $_GET or $_POST or anything that deals with the url string.
How I cam across this is by thinking about it when working on using eval() to rewrite a custom variable using a variable. I used the $_GET inside the eval() and when thinking, I thought that it could easily be injected in so I decided to add in echo 'Hello World' in the query of the url and when the page loaded, it printed. And I was just using $_GET to assign to a variable, not to print it raw.
This quick blog post is to share my experiment that eval() is not safe toward using things such as $_GET and $_POST. Also, even though you cannot see $_POST, doesn't mean it can use that to inject code into your webpage.
No comments:
Post a Comment