- Resolve :Null character issues in php security issues
- Null character in php
- Syntax
- Casting to null
- See Also
- User Contributed Notes 6 notes
- [Explained]: What does “binary safe” mean in PHP?
- ASCII character encoding
- The null character
- PHP functions
- What does binary-safe mean?
- Non-binary safe function example
- Syntax
- Parameters
- Example
- Binary safe function example
- Syntax
- Parameters
- Example
- Related Articles
Resolve :Null character issues in php security issues
Because PHP’s file system operations are based on functions of the C language, it can handle Null characters in ways you might not expect. The Null character is used in the C language to identify the end of a string, a complete string from its beginning until the Null character is encountered. The following code demonstrates a similar attack:
Example #1 code that will be attacked by the Null character problem
Therefore, any string used to manipulate the file system must be properly checked. Here is an improved version of the above example:
Example #2 verifies that the input is correct
A function error can expose the database the system is using or provide an attacker with useful information about a web page, program, or design. Attackers often find open database ports and certain bug or vulnerabilities on the page. For example, an attacker could make a program error with some abnormal data to detect the order of authentication in the script (through the line number of the error) and information that might be leaked elsewhere in the script.
One file system or PHP error will reveal what permissions the web server has and how the files are organized on the server. Error code written by the developer can exacerbate the problem, leading to the release of previously hidden information.
There are three common ways to deal with these problems. The first is to thoroughly examine all functions and try to fix most of the errors. The second is to completely shut down the online system error report. The third is to create your own error handling mechanism using PHP’s custom error handling function. Depending on the security policy, all three approaches may work.
Null character in php
The null type is PHP’s unit type, i.e. it has only one value: null .
Undefined, and unset() variables will resolve to the value null .
Syntax
There is only one value of type null , and that is the case-insensitive constant null .
Casting to null
This feature has been DEPRECATED as of PHP 7.2.0, and REMOVED as of PHP 8.0.0. Relying on this feature is highly discouraged.
Casting a variable to null using (unset) $var will not remove the variable or unset its value. It will only return a null value.
See Also
User Contributed Notes 6 notes
Note: empty array is converted to null by non-strict equal ‘==’ comparison. Use is_null() or ‘===’ if there is possible of getting empty array.
NULL is supposed to indicate the absence of a value, rather than being thought of as a value itself. It’s the empty slot, it’s the missing information, it’s the unanswered question. It’s not a jumped-up zero or empty set.
This is why a variable containing a NULL is considered to be unset: it doesn’t have a value. Setting a variable to NULL is telling it to forget its value without providing a replacement value to remember instead. The variable remains so that you can give it a proper value to remember later; this is especially important when the variable is an array element or object property.
It’s a bit of semantic awkwardness to speak of a «null value», but if a variable can exist without having a value, the language and implementation have to have something to represent that situation. Because someone will ask. If only to see if the slot has been filled.
I would like to add for clarification that:
—$x;
// $x is still NULL.
// Decrementing NULL, using Decrement Operator, gives NULL.
$x-=1;
// $x is now int(-1).
// This actually decrements value by 1.
On the other hand, Incrementation works simply as expected.
Hope this helps 🙂
Note: Non Strict Comparison ‘==’ returns bool(true) for
Use Strict Comparison Instead
[Explained]: What does “binary safe” mean in PHP?
When going through the documentation of various in-built functions in PHP, you will most likely come across the term «binary safe» quite often.
In this article, we will cover what «binary safe» means, and how binary-safe functions are different from those which are not with aid of several examples.
ASCII character encoding
ASCII (American Standard Code for Information Interchange) is a character encoding standard (character set) used between computers and other electronic devices on the Internet.
It consists of 128 characters which include the numbers from 0 to 9, the upper and lower case letters from A to Z, and some special characters. It contains a binary code for all these characters (from 000 0000 to 111 1111).
It is the basis for modern character sets such as UTF-8 (default encoding for HTML5) and ISO-8859-1 (default for HTML 4.01).
The null character
The null character is a control character representing nothing, with the value of binary zero, but may have special meaning when interpreted as text, as in marking the end of character strings.
The null character is represented with hex code «x00» and is escaped with a backslash \ where x indicates hexadecimal notation.
A PHP string with a null character will look as below.
You will notice that if you manually count the characters of the string above you will get 25 instead. However, the strlen() function returns the string length as 22. This is because «\x00» is parsed to mean null character and thus occupies one byte instead of 4. That’s why the length is less by 3.
PHP functions
A function is a named group of reusable code that performs a specific task, which can be called anywhere in your program.
Functions usually take in data, process it, and return a result.
The code in the function does not get executed until the function is called.
There are two types of functions in PHP: in-built functions and user-defined functions. The in-built functions already exist internally in PHP and all you have to do is to call them when you want to use them. On the other hand, user-defined functions are created by the programmer to accomplish a custom task.
For instance, strlen() as used above is an in-built function for getting the length of a string. We pass the string when calling it and it returns its length.
In our case here, we are more interested in the in-built PHP functions. They are all documented on the PHP official website.
While going through their documentation, you will find most of them described as «binary-safe«.
What does binary-safe mean?
Traditionally there are two ways to mark the end of a string: by adding a null character (\x00) at the end of the string (C language uses this method) or by storing its length along with the string data (PHP uses this method).
The limitation of the former (using the null character to mark the end of the string) is that you cannot use a null byte/character anywhere else in the string but at the end.
PHP is an interpreted language with its interpreter written in C language. Therefore, some of its functions might be based on C functions.
Any function can process a string that contains only ASCII characters and no null characters correctly.
However, some functions may process strings containing non-ASCII bytes and/or null bytes incorrectly. For instance, a PHP function might be based on a C function that expects null-terminated strings, so if the string contains a null character, the function would ignore anything after it. This is because it treats the null character as the end of the string.
Binary safety can therefore be defined as a property of functions which means they process any string correctly.
Most of C’s standard library string functions can be classified as «non-binary safe» since they rely on the null character for termination.
A «binary safe function» is a function that works correctly even when you pass arbitrary binary data eg. a string containing non-ASCII bytes and/or null bytes.
Non-binary safe function example
A good example of a not binary-safe function is strcoll().
The strcoll() is an in-built case-sensitive PHP function that compares two strings.
Syntax
Parameters
Example
The two strings are the same.
From the example above, you can clearly see that the two strings are different. $str1 has value «Hello» while $str2 has value «Hello\x00 world!». The reason why the output of the strcoll() function is 0 (which means they are the same) is that it is not binary safe and interprets the null character «\x00» as the end of the string $str2 and ignores everything after. So it assumes the value of $str2 to be «Hello».
Note: The comparison of the strings may vary depending on the locale settings. If the current locale is C or POSIX, this function works the same way as strcmp() explained below.
Binary safe function example
Most of the functions in PHP are binary-safe. But for the sake of demonstration, we will use strcmp() function which is very similar to the above in its functionality except that it is binary-safe.
The strcmp() is an in-built, case-sensitive PHP function used to compare two strings.
Syntax
Parameters
Example
The two strings are different.
The strcmp() function correctly processes the string $str2 up to the last character (does not terminate it at the null character «\x00») and thus the two strings are not considered equal.
It’s my hope that this explanation helps you to get a better understanding.