Home/ Questions/Q 7024735
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T23:52:51+00:00

Before going live with my website, i made some thoughts about security: This question

  • 0

Before going live with my website, i made some thoughts about security:

This question is about understanding the Processing in PHP and not strives for a solution in securing the form.

Consider this barebone script which is completely insecure against xss and
sql injections if provided.

<?
if ($_POST['submit']=="1"){

    $input = $_POST['input'];
    echo "echo the input: ".$input."<br/>";
}
?>
<form action="<? $PHP_SELF;?>" method="POST">
<input type="text" name="input" value="<? echo $_POST['input'];?>"/>
<input type="hidden" name="submit" value="1"/>
<input type="submit" value="submit"/>
</form>

i am wondering why such an injection like this does not work (in the field input):

";unset('index.php');

i am naively thinking the “; would end the echo and than proceed with the code.
Actually i am very happy this does not work but i would like to know why.
In SQL kind of this would actuall work ‘ OR 1’.

i know to secure this with addslashes or htmlspecialchars but this is not the question. I want to gain an inside of how php works in processing this.

thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The content of $_POST array elements are strings. So, whenever you submit “;unset(‘index.php’);” (btw, doesn’t unset work on variables?) you actually send that as a string, not as PHP executable code.

    Unless you’re using eval(), you don’t need to fear about php code being evaluated.

    Another thing, don’t use addslashes() to secure queries, but use your library’s dedicated function, such as mysql_real_escape_string() for mysql. Or better use query bindings with prepared statements and parametrized queries.

    • 0