使用PHP通过json_encode()进行脚本注入 [英] Script injection via json_encode() using PHP

问题描述

是否可以使用PHP json_encode()将属性注入到JSON-String中?

Is it possible to inject properties into a JSON-String using PHP json_encode()?

或者以下示例容易受到攻击:

Or would be the following example vulnerable:

<?php
$search = $_GET['q'];
$api_call = array('search' => $search);
do_my_api_call(json_encode($api_call));
?>

这应该输出类似

{"search":"my input string"}

这将是避免发生的结果:

This would be an outcome to avoid:

{"search:"my input string","function":"do something weird to my REST-API"}

如果第二个可以通过操纵查询来实现，我该如何对输入字符串加引号?

If the second one is possible with a manipulated query, how should I quote the input string?

推荐答案

无法以这种方式注入值.仅当您用手将JSON拼凑在一起时，这才有可能，例如:

It is not possible to inject values this way. Only if you'd be cobbling together JSON by hand would this be possible, e.g.:

$json = sprintf('{"search":"%s"}', $search);

但是，如果您使用的是json_encode，它将知道您的数据类型和数组结构，并将正确地转义字符，以便为给定的输入产生准确的JSON表示形式.输入中不能使用引号或其他特殊字符来欺骗它.

However, if you're using json_encode, it is aware of your data types and array structures and will properly escape characters so as to produce an accurate JSON representation of the given input. It cannot be tricked by quotes or other special characters in the input.

这篇关于使用PHP通过json_encode()进行脚本注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！