问题
Is it possible to inject properties into a JSON-String using PHP json_encode()?
Or would be the following example vulnerable:
<?php
$search = $_GET['q'];
$api_call = array('search' => $search);
do_my_api_call(json_encode($api_call));
?>
This should output something like
{"search":"my input string"}
This would be an outcome to avoid:
{"search:"my input string","function":"do something weird to my REST-API"}
If the second one is possible with a manipulated query, how should I quote the input string?
回答1:
It is not possible to inject values this way. Only if you'd be cobbling together JSON by hand would this be possible, e.g.:
$json = sprintf('{"search":"%s"}', $search);
However, if you're using json_encode, it is aware of your data types and array structures and will properly escape characters so as to produce an accurate JSON representation of the given input. It cannot be tricked by quotes or other special characters in the input.
来源:https://stackoverflow.com/questions/23866987/script-injection-via-json-encode-using-php