Vulnerability Development mailing list archives
Re: PHP : eval() ?
From: Slow2Show <sl2sho () yahoo com>
Date: 19 Jul 2002 02:31:56 -0000
In-Reply-To: <20020718203227.15908.qmail () mail securityfocus com> frog- AFAIK if magic quotes is on the only way you could get through would be with the code below....if it is off then you could pass straight through, but from your output I would guess that your server has magic quotes on <? //this would be _very_ bad code for a coder to use eval(stripslashes($evalu)); printf("<br>echo=%s",$evalu); ?> a valid test string would be: script.php?evalu=echo%20"start%20";system("ls");echo%20"end"; so in your case magic quotes are enabled and you are dealing with a straight eval()...then I belive wont be able passthru please correct me if I'm wrong, -Slow2Show- University of Florida
Current thread:
- PHP : eval() ? frog frog (Jul 18)
- <Possible follow-ups>
- PHP : eval() ? b0iler (Jul 18)
- Re: PHP : eval() ? Slow2Show (Jul 18)