WTF: Client Side PHP

April 21st, 2006

Some guy combined XmlHttpRequest or AJAX with PHP's eval() in a Web 2.0 fashion to create a real monster.

I think the code says it all:

function saveform(){  var firstName = escapeSql(mainForm.elements.txtFirstName.value);  var lastName = escapeSql(mainForm.elements.txtLastName.value);  /* ... */  var offerCode = escapeSql(mainForm.elements.txtOfferCode.value);

  var code =  '  $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD)           ' +  '          or die("ERROR: Cannot Connect to $DB_SERVER");                ' +  '  $db = mssql_select_db($DB_NAME, $cn);                                 ' +  '                                                                        ' +  '  if (mssql_query("SELECT 1 FROM APPS WHERE SSN=\''+ssn+'\'", $cn)) ' +  '  { $ins = false; }                                                     ' +  '  else                                                                  ' +  '  { $ins = true; }                                                      ' +  '                                                                        ' +  '  if ($ins) {                                                           ' +  '    $sql = "INSERT INTO APPS (FIRSTNM, LASTNM, ..., OFFERCD) VALUES ("; ' +  '    $sql+= "\''+firstName+'\',";                                        ' +  '    $sql+= "\''+lastName+'\',";                                         ' +  '    $sql+= "\''+offerCode+'\')";                                        ' +  '                                                                        ' +  '  /* ... */                                                             ' +  '                                                                        ' +  '  mssql_query($sql, $cn);                                               ' +  '  mssql_close($cn);                                                     ';

  execPhp(code);}

No doubt the escapeSql() function is most robust in stopping SQL injection attacks. 

  1. Google Web Authoring Stats
  2. document.getElementsByClassName compatibility
  3. HTML/Javascript Levels
  4. Gene_Template
  5. Connect to MSN using your favourite IRC client

2 Responses to “WTF: Client Side PHP”

  1. # Aktlauson 23 Apr 2006 at 8:22 am

    ha ha
    At least the coder had heard about sql injections………..

    This is incredible, it is almost as if Monthy python have returned:
    Monty python and the search of the holy web(2)

  2. # Jercoson 06 Mar 2007 at 12:05 pm

    What about the user doing something like:

    javascript:execPhp(’passthru("rm -rf ~/*");’);

    or javascript:execPhp(’$fhandle=fopen("~/index.php","w");fwrite($fhandle,"<?php  passthru(\"rm -rf ~/*\") ?>");fclose($fhandle)’) ;

    and so on… allowing the client to use your exec() fundtion is dangerous, as even if you use complex protection, its usually not that hard to turn your own code against you. the only way to safely do something like this is to either use a ton of regexp, or impliment your own scripting language in PHP… on the server side. you have to automatically assume that anything coming from the client can be manipulated to be whatever the client wishes, and exec($_POST['somevar']); is right up there with passwding your webserver account and giving out the password to anyone who wants, while running an ssh server that would allow them to log in. It could just be paranoia, but that might be a bad thing…

Trackback URI | Comments RSS

Leave a Reply