Is PHP injection a credible threat, if so how to guard against it

I am familiar with the concept of SQL injection and preventing it via precautions such as prepared statements. I am also familiar with the idea of htmlspecialchars() for preventing malicious JS etc.

Forgetting about client side validation, which I see more as providing a good user experience rather than any effective protection -

it seems to me that at there is a point between where a user input is submitted to the server and when any actual validation is performed. For example -

if (!filter_var(trim($_POST['email']), FILTER_VALIDATE_EMAIL)) {

We have no idea what $_POST['email'] actually contains until the validation has completed. Could a malicious user include malicious code that ‘repurposes’ the code.

Same for a password, could the actual $_POST['password'] value contain a malicious code segment that kicks in before $password = password_hash($_POST['password'], PASSWORD_DEFAULT); completes the desired process.

I do not understand all the technicalities but it seems to me that, however much checking and validating you do, there is a point at which an ‘unvalidated’ string is presented within a PHP ‘instruction’ PRIOR to validation, if only to actually validate it!

As a follow on, kind of bonus question if you will permit me -

It is common practice to allow - or even insist on - special character within passwords. Should characters with particular ‘mathematical’ meanings be excluded such as =, (,) etc. to prevent any malicious activity hijacking the password validation itself.

Maybe I am paranoid, but it just seemed to me that there is a potential chink in the PHP armour here. I’ll just sleep easier if I know my validation attempts are not actually additional unlocked doors that could be exploited :slight_smile:
Thanks guys

Content of variables cannot be executed in PHP as long as you do not use the eval() function.
So there is no chance for a hacker to start anything on your backend you haven’t coded.

1 Like

I really did not know that !
Thanks for such a simple conclusive answer

There are a couple of other functions that are similarly “Be extremely cautious” (exec, passthru, anything with “delete” in it, anything with “execute” in it…) but yeah, Thallius is spot on; unless you’ve coded the script to do something dangerous with a string, it’s just a string.

The more likely threat was that your site has been compromised by another vector (FTP, etc) and someone has put arbitrary-execution code onto your site without your knowledge. This was a common attack a few years ago when host security was more lax.

1 Like

Thank you !

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.