php tutorial substr_replace replaces characters at specified positions and memory corruption vulnerability
Tips and Notes
Note: If start is negative and length is less than or equal to start, length is 0.
$username = "zongzi";
echo substr_replace($username,'**','1','2');
Definition and usage
The substr_replace() function replaces part of a string with another string.
Grammar
substr_replace(string,replacement,start,length) parameter description
string required. Specifies the string to check.
replacement required. Specifies the string to be inserted.
start is required. Specifies where in the string to begin replacement.
Positive number - start replacing
at offset start
Negative numbers - replace
starting at start offset from the end of the string
0 - Start replacing
at the first character in the string
charlist Optional. Specifies how many characters to replace.
Positive number - the length of the string to be replaced
Negative number - the number of characters to be replaced starting from the end of the string
0 - insert instead of replace
The function is the same as php’s substr_replace()
'Parameters: replaced content, replacement content, starting bit, replacement length
function substr_replace(sourcecon,repcon,startx,lenx)
dim reped
reped = mid(sourcecon,startx,lenx) 'Extract the original content of the same length
dim scleftx,scleft
scleftx = startx-1
If scleftx<1 then
scleft = ""
else
scleft = left(sourcecon,scleftx)
end if
Substr_replace = replace(sourcecon,reped,repcon,startx,1)
substr_replace = scleft&substr_replace
end function
() Interrupt Memory Corruption Vulnerability
bugraq id:
cve id:cve-2010-2190
cncve id:cncve-20102190
Vulnerability release time: 2010-05-31
Vulnerability update time: 2010-06-28
Cause of vulnerability
Design error
Hazard level
Low
Influence system
php 5.2 <= 5.2.13
php 5.3 <= 5.3.2
No system impact
Hazard
A remote attacker could exploit the vulnerability to leak sensitive information.
Required conditions for attack
An attacker would have to gain access to an application that uses the substr_replace() function.
Vulnerability information
PHP is a popular web programming language.
There is an information leakage problem in PHP's substr_replace() function:
php_function(substr_replace)
{
...
if (zend_parse_parameters(zend_num_args() tsrmls_cc, "zzz|z", &str, &repl, &from, &len) == failure) {
return;
}
if (z_type_pp(str) != is_array) {
convert_to_string_ex(str);
}
if (z_type_pp(repl) != is_array) {
convert_to_string_ex(repl);
}
if (z_type_pp(from) != is_array) {
convert_to_long_ex(from);
}
if (argc > 3) {
separate_zval(len);
if (z_type_pp(len) != is_array) {
convert_to_long_ex(len);
l = z_lval_pp(len);
}
} else {
if (z_type_pp(str) != is_array) {
l = z_strlen_pp(str);
}
}
if (z_type_pp(str) == is_string) {
if (
(argc == 3 && z_type_pp(from) == is_array) ||
(argc == 4 && z_type_pp(from) != z_type_pp(len))
) {
php_error_docref(null tsrmls_cc, e_warning, "'from' and 'len' should be of same type - numerical or array ");
return_stringl(z_strval_pp(str), z_strlen_pp(str), 1);
}
使用不同类型的‘from’和'len'参数调用substr_replace()函数,会触发e_warning错误。如果php没有删除调用时通过引用传递功能,用户空间错误处理器会使用这个中断更改'str'参数类型。如果'str'类型更改为整数类型可导致泄漏任意内存,如果'str'更改为数组,允许泄漏使用重要内存偏移的哈希表。
How to check memory
How to send your location to someone else
How to open php file
How to remove the first few elements of an array in php
What to do if php deserialization fails
What are the video server configuration parameters?
How to connect php to mssql database
How to connect php to mssql database
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
