Printable View
ok twey, i'll take ur word for it until i get hacked or learn to hack by injecting self-executing php code into a script that reads form data, and if that happens i'll get back to you and on your conscience may it remain :)Quote:
Originally Posted by Twey
You can't force something to execute as php from inside a string.
For example, try running this--
<?php echo "eval(1+1)"; ?>
The eval function executes the code, but since it's in quotes, as a string, it does nothing. It'll just print that.
injection of any malicious code usually works by first closing the quotes and the command then starting a new one.Quote:
Originally Posted by djr33
anyway, i'll settle for the "there's nothing to worry about" for the time being. i might just send some emails to php.net just to make sure though ;)
If this were possible in direct input into a script, no server-side script would be safe, since there would be no way to escape it.Quote:
injection of any malicious code usually works by first closing the quotes and the command then starting a new one.
Yeah. Quotes are converted to "safe" characters before being used in strings. You can't just put one in there from a form or something... it'll become a new character.
Are you referring to the "magic quotes" feature? That may protect data for certain uses, but for databases and such, the vendor-specific function (such as mysql_real_escape_string) should be used.Quote:
Originally Posted by djr33
For distributed code, magic quotes should never be relied upon as it is a configuration option (I have it disabled: I find it to be annoying, more than anything else). Development should be conducted without it, and code should be written to check the current state of the option and act accordingly.
Mike