Variable variables are a very convenient feature of PHP. As mentioned in the manual, Variable variables means that the variable name of a variable can be set dynamically!
So what security issues will arise if the variable name of the variable can be set dynamically? Let’s take a look:
<?php $a = 'phpinfo'; $a(); ?>
This code is easy to understand. The type of the variable is character phpinfo. () is added dynamically to the variable, so the variable becomes the phpinfo function and is executed dynamically!
According to the same principle, we cite the example of variable variables in the manual:
<?php $a = 'phpinfo'; ${$a()}; ?>
This dynamic function puts dynamic variables into it. Of course, my statement is a bit unprofessional, or Variable variables, we will find that the phpinfo function is still executed!
If you have read the manual and the example I gave, you must feel that this is not magical at all. This is the grammatical feature of PHP, and then we will further evolve this thing into one line:
<?php $a = "${${phpinfo()}}"; ?>
This is two nested variable variables. We just fill in the contents of the variable variables ourselves according to the above example. In fact, we assign a certain function to a certain variable, so the phpinfo function is finally executed. , it turned into a prototype of various vulnerabilities and webshells!
Everyone should know after reading this, why the experts asked me to read PHP Manual, but does this article end here? We have missed a little bit, Daniel Having said that security is the foundation, we haven’t actually figured this out yet. Why are the variables in the previous example using single quotes, while the final example uses double quotes? If you have thought about this problem, I think you should do it. Security definitely has great potential, and it may become a big deal in the future!
The difference between single quotes and double quotes in PHP is still related to variables. Let’s take a look at the following example:
<?php $a = 'phpinfo()'; echo $a; //输出phpinfo()字符串 echo '$a'; //输出$a字符串 echo "$a"; //输出phpinfo()字符串 ?>
The content in double quotes will be parsed by PHP syntax variables, while single quotes The content inside is directly characterized as a string!
The above is the detailed content of A brief discussion on the security of PHP variable variables. For more information, please follow other related articles on the PHP Chinese website!