Is PHP injection possible? The possibility just occurred to me. So far I haven't been successful in injecting PHP code through _REQUEST vars.

For example, http://www.domain.com/file.php?sort=");&order=DESC

With this code:


$var .= some_function($_REQUEST['sort'], $_REQUEST['order']);


In this example I get no parse errors and $_REQUEST['order'] still goes through.

Thats because 'sort' is holding the string, its not executed literally. Thats the same as going:

$_REQUEST['sort'] = '");';

If you were to eval() it, then it'd be different.

That clears things up a bit. Thanks.

Correct. It cool.

Now, if it were enclosed in an eval() statement, then it would hit the fan.