Is PHP's complex curly syntax dangerous?

Question

For example, if I do something like

$a = "{${phpinfo()}}";

phpinfo() will be executed from within the context of that string declaration. This doesn't seem to happen when I do $a = $_GET['a'], and set that get var to be equal to {${phpinfo()}}. Why doesn't that behave the same way, and does that mean curly syntax is not dangerous in this way?

I don't see what this has to do with "curly syntax". Your code executes a function because you told it to. Certainly that can cause issues, as each and every command you execute. You certainly should not feed client side provided data into this, if that is what you mean. But again that is true for every command you execute... — arkascha, Oct 22 '16 at 19:24

score 1 · Answer 1 · answered Oct 22 '16 at 19:24

It isn't dangerous since variable interpolation is performed only during compilation time. These sequences have to be physically in the code inside a double quoted string/heredoc literal. You'd have to be dynamically generating files or using eval() to have to worry about this.

score 0 · Answer 2 · edited May 23 '17 at 12:00

0

That's the same as if you change the double quotes into single quotes.

If you have

$a = 10;
$b = "$a";
$c = '$a';
echo "b = $b\n";
echo "c = $c\n";

then $b will be the same as $a. while $c will be $a literally

see What does ${ } mean in PHP syntax?

edited May 23 '17 at 12:00

Community

1
1

answered Oct 22 '16 at 19:32

Richard

1,045
7
11

Is PHP's complex curly syntax dangerous?

2 Answers2