Hacker News new | past | comments | ask | show | jobs | submit login

I'm pretty sure the error is when they later take the input and eval it, and the author's managed to dodge their filtering rather than execute arbitrary code in the context of an array-to-string cast (which I was lead to believe when reading that post, at least). Otherwise it implies that some permutation of:

$a = '{${phpinfo()}}'; $b = [$a]; $c = "$b";

Will execute phpinfo()... which it won't.




I'm not quite sure I understand it either, though this does execute phpinfo.

    $variable = "{${phpinfo()}}";
    echo "$variable is fish";
I feel I've missed the point.


This is how it is executed:

    $variable = "{${phpinfo()}}"; // <- Execution happens here
    echo "$variable is fish";
If you pass a "{${phpinfo()}}" via GET, it is not executed. The execution has to happen later - e.g. by eval() or /e.


Haha same here… anyone care to explain?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: