When PHP code should really be treated as unsafe

Yesterday I took a part in interview for PHP developer position. My interview task was to solve fifteen questions in quite simple test. One of the questions was to decide if given code sample be treated as unsafe and in which conditions.

I gave a wrong (as it turned out) answer and the argumentation from the intervieerw was quite surprising for me in the first time. Finally I realized my mistake.

Code was something like that:

function someFunction($a)
    echo $a * 4;


Possible answers were:

  • always,
  • only when register_globals is enabled,
  • never.

You could get one point for correct answer and second one for giving good explanation (argumentation) on answer chosen answer.

My answer was third: this code is never unsafe. Plus argumentation:

Because, this is just a simple equation. There are no file or database operations here, no streams, protocols, no nothing. It’s just an equation. Nothing else. Attacker is unable to do anything wrong with PHP script, not matter how malformed URL query he or she will try to execute. No chance.

I’ve got zero points. Neither my answer was correct, nor my argumentation was accepted. The correct answer was:

This code is always unsafe — you should always escape, what you got from URL query.

Since I was surprised, I asked for an explanation at Stack Overflow and got an response, that this code is indeed unsafe. Why? In current implementation it isn’t dangerous at all. But when implementation of someFunction changes in future, then any call to someFunction($_GET['value']) may be very dangerous.

Leave a Reply