PHP Security - $_POST - Injection

Question

Before going live with my website, i made some thoughts about security:

This question is about understanding the Processing in PHP and not strives for a solution in securing the form.

Consider this barebone script which is completely insecure against xss and sql injections if provided.

<?
if ($_POST['submit']=="1"){

    $input = $_POST['input'];
    echo "echo the input: ".$input."<br/>";
}
?>
<form action="<? $PHP_SELF;?>" method="POST">
<input type="text" name="input" value="<? echo $_POST['input'];?>"/>
<input type="hidden" name="submit" value="1"/>
<input type="submit" value="submit"/>
</form>

i am wondering why such an injection like this does not work (in the field input):

";unset('index.php');

i am naively thinking the "; would end the echo and than proceed with the code. Actually i am very happy this does not work but i would like to know why. In SQL kind of this would actuall work ' OR 1'.

i know to secure this with addslashes or htmlspecialchars but this is not the question. I want to gain an inside of how php works in processing this.

thanks

Answer 1

The content of $_POST array elements are strings. So, whenever you submit ";unset('index.php');" (btw, doesn't unset work on variables?) you actually send that as a string, not as PHP executable code.

Unless you're using eval(), you don't need to fear about php code being evaluated.

Another thing, don't use addslashes() to secure queries, but use your library's dedicated function, such as mysql_real_escape_string() for mysql. Or better use query bindings with prepared statements and parametrized queries.

Answer 2

It would work if you put it through eval(), but otherwise it's just a string like any other.