Php User Input In Danger Function
Description
Detects dangerous usage of PHP's deprecated create_function() with user-controlled input in the function body argument. create_function() internally uses eval(), so passing unsanitized user data as the function body allows attackers to execute arbitrary PHP code, leading to remote code execution.
Detection Strategy
• Identifies calls to PHP's create_function() function
• Inspects the second argument (the function body string) for symbols or element accesses derived from user input
• Traces those symbols back to their definition to verify they originate from HTTP request data ($_GET, $_POST, $_REQUEST, etc.)
• Reports a vulnerability when user-controlled data reaches the function body of create_function() without sanitization
Vulnerable code example
<?php
// Attacker controls the function body — equivalent to eval()
$userCode = $_GET['action'];
$fn = create_function('', $userCode); // Vulnerable: user input executed as PHP code
$fn();
// Also vulnerable when input is embedded via concatenation
$field = $_POST['field'];...✅ Secure code example
<?php
// Replace create_function() with a proper anonymous function or named function
// and validate any dynamic behavior against a strict allowlist
$allowedActions = ['read', 'write', 'delete'];
$action = $_GET['action'] ?? '';
if (!in_array($action, $allowedActions, true)) {
http_response_code(400);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.