PHP

PHP (PHP: Hypertext Preprocessor) is a widely-used server-side scripting language designed for web development. Created in 1994, PHP powers a significant portion of the web including platforms like WordPress, Drupal, and Laravel-based applications.

Key Characteristics

  • Server-side execution: PHP code runs on the server, generating HTML sent to the client
  • Embedded in HTML: PHP code can be mixed directly with HTML using <?php ?> tags
  • Loosely typed: Variables don't require type declarations, enabling type juggling
  • Extensive ecosystem: Large standard library and package manager (Composer)

Basic Syntax

<?php
// Variables
$name = "PentesterLab";
$count = 42;

// Functions
function greet($user) {
    return "Hello, " . htmlspecialchars($user);
}

// Database query (PDO - secure)
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$userId]);
?>

Security Considerations

PHP applications are susceptible to several vulnerability classes:

  • Type Juggling: Loose comparisons (==) can lead to authentication bypasses
  • Object Injection: Deserializing untrusted data via unserialize()
  • File Inclusion: LFI/RFI through include() and require()
  • Command Injection: Unsafe use of system(), exec(), shell_exec()
  • SQL Injection: String concatenation in database queries

Dangerous Functions

// Code execution
eval(), assert(), preg_replace() with /e modifier
create_function(), call_user_func()

// Command execution
system(), exec(), shell_exec(), passthru()
popen(), proc_open(), pcntl_exec()

// File operations
include(), require(), include_once(), require_once()
file_get_contents(), fopen(), readfile()

// Deserialization
unserialize(), phar://

PHP Wrappers

PHP supports stream wrappers that can be exploited in file inclusion vulnerabilities:

php://filter/convert.base64-encode/resource=config.php
php://input
data://text/plain,<?php system($_GET['cmd']); ?>
expect://id
phar://malicious.phar

See Also