Wednesday, April 12th, 2006
Some of you will be familiar with TheDailyWTF.com, a website showcasing code in the wild that is, well, less than professional. A recent forum item illustrates the ultimate Ajax antipattern: uploading arbitrary code to be executed on the server.
Gustavo Carvalho discovered what happens when XMLHttpRequest and the Eval() function in PHP are combined. I’ll leave it to your immagination as to what the server-side looks like …
var code =
‘ $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD) ‘ +
‘ or die(“ERROR: Cannot Connect to $DB_SERVER”); ‘ +
‘ $db = mssql_select_db($DB_NAME, $cn);
Still, you’ve got to admit the remote execution is nicely encapsulated in that little execPhp() function – no messing around with XHR here ;-).
Posted by Michael Mahemoff at 6:08 pm