user7104700 user7104700 - 29 days ago 14
PHP Question

Security of PHP POST Array

I'm learning how to save my project from attackers, so I have a question.

I have a form with

username
and
password
fields that are passed through to a PHP script.

The received array is like this:
Array([username] => X, [password] => Y)


Can an attacker escape this array to inject arbitrary PHP code into my script?

If yes, then how he is doing that and how I can counteract?

Question Attachment

Thanks for your help.

Answer

An attacker cannot "escape" a PHP array, because the contents of the array are not executed as code. It may contain a string of PHP, but that string is not executed.

What may be insecure is how your PHP code handles the user input later on.

If you are outputting the data without sanitising it, the user could put in any javascript code that would then appear on your site (For more info look up cross-site scripting or XSS). To prevent this in PHP check out this question.

Alternatively, if you are putting the data into a database without escaping it, the user could enter their own SQL commands (for more info look up SQL Injection). To prevent this in PHP, use something like PDO with prepared statements.

Comments