Is it possible for someone to execute a code through a URL for example
http://localhost/page.php?code=echo 'something';
If yes then how can it be done and how can you prevent it from happening?
-
you mean executing PHP code ? you can't, unless your PHP script parses & handles the query string very well.Raptor– Raptor2013-06-03 13:15:03 +00:00Commented Jun 3, 2013 at 13:15
-
1Execute code where? On the server? On the client?Oswald– Oswald2013-06-03 13:16:21 +00:00Commented Jun 3, 2013 at 13:16
-
You may go for javascript. check this: stackoverflow.com/questions/7279557/…Ravimallya– Ravimallya2013-06-03 13:16:34 +00:00Commented Jun 3, 2013 at 13:16
-
1You can, if the server side code is severely broken. But you'd have to really try to make that kind of mistake.JJJ– JJJ2013-06-03 13:17:14 +00:00Commented Jun 3, 2013 at 13:17
-
1@Juhana — It is hard to make the sort of mistake where PHP gets executed by accident, but very easy to allow JavaScript or SQL to be executed (W3Schools have plenty of tutorials that teach you how).Quentin– Quentin2013-06-03 13:42:36 +00:00Commented Jun 3, 2013 at 13:42
|
Show 4 more comments
2 Answers
It's possible if something on the server takes the data in the URL and puts it somewhere where it might be treated as code (e.g. in an eval statement, in an SQL query or in an HTML document).
The defences are all specific to the place where you put the data, but usually involve escaping it.
See also SQL Injection, XSS, and the open web application security project.
Comments
After looking around for a while, I found eval which is a function that is capable of executing any php code provided in a GET like my example above, I used the following code to test it.
<?php
$code = $_REQUEST['code'];
eval($code);
?>