PHP - evaluating param

Question

I have following code:

<?php
     $param = $_GET['param'];
     echo $param;
?>

when I use it like:

mysite.com/test.php?param=2+2

or

mysite.com/test.php?param="2+2"

it prints

2 2

not

4

I tried also eval - neither worked

Unless I'm not mistaking the "+" is used for URL encoding, so it would be translated to a %, which further translates to a white space. That's why you're getting 2 2. — Andrei P., Oct 12 '14 at 16:47

will · Answer 1 · 2014-10-12T16:52:42.147

0

+ is encoded as a space in query strings. To have an actual addition sign in your string, you should use %2B.

However, it should be noted this will not perform the actual addition. I do not believe it is possible to perform actual addition inside the query string.

edited Oct 12 '14 at 16:52

answered Oct 12 '14 at 16:47

will

1,491
1
19
28

soo how can I 'translate' it into +? I know it is possible, because e.g. you can test with it sql injection vulnerability - /index.php?id=2+2 – encoree1337 Oct 12 '14 at 16:49

score 0 · Answer 2 · answered Oct 12 '14 at 17:20

Now. I would like to stress to avoid using eval as if it's your answer, you're asking the wrong question. It's a very dangerous piece of work. It can create more problems than it's worth, as per the manual specifications on this function:

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

So, everything that you wish to pass into eval should be screened against a very.. Very strict criteria, stripping out other function calls and other possible malicious calls & ensure that 100% that what you are passing into eval is exactly as you need it. No more, no less.

A very basic scenario for your problem would be:

if (!isset($_GET['Param'])){
    $Append = urlencode("2+2");
    header("Location: index.php?Param=".$Append);
}

    $Code_To_Eval = '$Result = '.$_GET['Param'].';';
    eval($Code_To_Eval);
    echo $Result;

The first lines 1 through to 4 are only showing how to correctly pass a character such a plus symbol, the other lines of code are working with the data string. & as @andreiP stated:

Unless I'm not mistaking the "+" is used for URL encoding, so it would be translated to a %, which further translates to a white space. That's why you're getting 2 2

This is correct. It explains why you are getting your current output & please note using:

echo urldecode($_GET['Param']);

after encoding it will bring you back to your original output to which you want to avoid.

I would highly suggest looking into an alternative before using what i've posted

@PaulCrovella This is what I was referring too when I say a strict criteria. However, i'd rather stress that it is possible with using this method, but ***NOT*** To use `eval` — Daryl Gill, Oct 12 '14 at 21:02

PHP - evaluating param

2 Answers2