Can php variable hold harmfull code safely? [closed]

问题:

Let's say I have a text file. It contains "harmfull" code like:

<?php phpinfo(); ?> 

or it could be anything else, SQL injection code, html links etc...

Now here is my example script:

$content = file_get_contents('harmfullcode.txt'); 

Now obviously $content variable will store that harmfull code.

My question is, is it safe to store such information in a variable?

I know for example if I

echo $content; 

then it WILL be harmfull.

But if I don't do anything with the variable, is it safe for the variable to hold any type of harmfull code?

Edited to make it more clear:

What is the difference between this?

$content = file_get_contents('harmfullcode.txt'); $safevar = removebadstuff($content); echo $safevar; 

VS

$content = removebadstuff(file_get_contents('harmfullcode.txt')); echo $content; 

the second example removes bad stuff before assigning it to $content...?? I'm kind of new to php security, trying to grasp the concept. Thank you.

回答1:

hey are nearly identical. You might want to unset $content in the first example as the second example only creates the local variable as the first parameter of removebadstuff.

Keep in mind that strings in PHP are binary-safe.

Required reading: The ultimate clean/secure function

回答2:

if will not be printed or eval'd then it's ok to store it in variable as any string variable.

回答3:

Unless the harmfull code is targeting a vulnerability in file_get_contents() or similar function of PHP itself, then just storing it in a variable should be safe. Outputing it might be unsafe, and running eval on it is most certainly a bad idea.

回答4:

It depends on how you treat this variable.

In your example, echo $content; will not be harmfull, it will just show the harmfull code, without execute it.

The harmfull examples:

eval($content);  exec($content); // any System program execution function  //preg_relace with e modifier, this is deperecated  // and so on ..... 

文章来源: Can php variable hold harmfull code safely? [closed]