Due to numerous comments published (at the time the question was asked by me), I believe there is some doubt as to the PHP Injection.
So I’ll explain some points.
What is PHP Injection?
It is a form of attack where the attacker uses a PHP script to attack an application written in PHP.
According to Google:
[...] PHP Injection is a technique used on the Internet consisting of
injecting malicious scripts, making the page vulnerable
the control of the attacker [...]
Generally, this type of attack consolidates when the developer leaves loopholes in upload forms. For example, the malicious person can send a PHP script through that form and then run it.
The result could be disastrous if the attacker manages to list directories, delete files, steal sensitive data, etc...
Send like this, PHP Injection has no relation to SQL Injection, as some had pointed out in previous comments.
And the SQL Injection?
SQL Injection is an attack that consists of inserting (known as injection) a query via web application.
That is, there is no direct relationship with the PHP Injection.
Ways to avoid PHP Injection
Be careful when uploading!
As stated earlier, one of the biggest ways of this attack is through upload forms, where the attacker manipulates the uploaded content (usually by sending an unexpected PHP script on the server) and, through it, has access to server information.
Avoid the eval
Another dangerous thing about PHP Injection is the use of the function eval
, which has the power to make a string
in a valid PHP code.
See more information about eval
in the question below:
Beware as the modifier e
of function preg_replace
Recently, PHP deprecated the modifier e
of function preg_replace
, because this modifier could use a valid PHP code as a return, being also used by attackers.
See that the preg_replace
and the modifier e
this question caused some problems for the developer:
In this question asked by @Rodrigoborth, it is clear that the code was injected by a Cracker into the server where his application is.
Although it has been deprecated, it is good to keep an eye out for older library versions or legacy applications that might use this modifier.
Null Byte Attack
It seems that the Null Byte Attack
also was a problem in PHP in previous versions too.
See more about this here:
SQL Injection is related to PHP Injection ?
No. These are different matters and, in each case, the safety care should be different.
See the SQL Injection section below to draw your conclusions about the differences:
What not to confuse?
Another thing is to confuse Ataque XSS
with PHP Injection
.
XSS can be done in any other language that does not take proper care.
PHP Injection is something specific to PHP.
PHP Injection, you mean abuse of
eval()
,extract()
and worse things like Globals, Magics?– rray
Wallace is not exactly/completely the same subject but should help: http://answall.com/a/10931/3635
– Guilherme Nascimento
@rray What a
extract()
can do harm?– Francisco