What is PHP Injection? What's the difference between it and SQL Injection? And how to avoid it?

  • What is PHP Injection?
  • What's the difference between it and SQL Injection?
  • How to avoid PHP Injection in my application?
  • What are the main forms of PHP Injection type attack?


Note : Remembering that SQL injection is not the same thing as PHP Injection .

Code Injection in PHP

What is SQL Injection?

asked by anonymous 13.08.2015 / 23:00

2 answers


Due to numerous published comments (at the time the question was asked by me), I believe there is some doubt about the PHP Injection . So I'll explain a few points.

What is PHP Injection?

It is a form of attack where the attacker uses a PHP script to attack an application written in PHP.

According to Google:


[...] PHP Injection is a technique used on the internet that consists of   inject malicious scripts, making the vulnerable page   the control of the attacker [...]

Generally, this type of attack consolidates when the developer leaves loopholes in upload forms. For example, the malicious person may send a PHP script through that form and then execute it.

The result can be disastrous if the attacker can list directories, delete files, steal sensitive data, etc.

So, PHP Injection is not related to SQL Injection, as some had pointed out in previous comments.

What about SQL Injection?


SQL Injection is an attack consisting of the insertion (known as injection) of a query via the web application.

That is, there is no direct relation to the PHP Injection .

Ways to avoid PHP Injection

Be careful when uploading!

As previously stated, one of the major forms of this attack is through upload forms, where the attacker manipulates the submitted content (usually by sending an unexpected PHP script to the server) and through it has access to server information .

Avoid eval

Another dangerous thing about PHP Injection is the use of the eval function, which has the power to make a string into a valid PHP code.

See more information on eval in the question below:

Caution as modifier e of function preg_replace

Recently PHP deprecated the e modifier of the preg_replace function, since this modifier could use a valid PHP code as a return and is also used by attackers.

See that preg_replace and e modifier on this question caused some problems for the developer:

In this question by @RodrigoBorth, it is clear that the code was injected by a cracker on the server where the application is located.

Although deprecated, it's good to be aware of older versions of libraries or legacy applications that might use this switch.

Null Byte Attack

It seems like Null Byte Attack has already been a problem in PHP in previous versions as well.

See more about it here:

Is SQL Injection related to PHP Injection?

No. These are different issues and, in each case, the safety precautions should be different.

Read about SQL Injection in the question below to draw your conclusions about the differences:

What else not to confuse?

Another thing is to confuse Ataque XSS with PHP Injection . XSS can be done in any other language that does not take care of it. PHP Injection is something specific to PHP.

14.08.2015 / 13:36

Just to contribute to the discussion and given that I went through this bad experience in a site that I manage I will detail what happened.

This site allows the user to upload ZIP files and images (JPG / PNG). Well, an unfortunate uploaded a JPG file that was actually not an image but a PHP script, it simply changed its extension, uploaded the file with an image header obviously but at the end of the file there is a php script that created a console of remote access with the name of copyright.php, from there he could list the files of the server and consequently see them in detail (with right connection to the database).

It worked hard to identify this, fixing it was simple, but seeing the php injection happening was laborious, and here for us you will never imagine it. The interesting thing is that he also used a text browser to visit the image, to come a binary header and in the sequence the code will be shown in the browser.

16.10.2018 / 21:22