Analysis on str_replace substitution vulnerability in php

This article mainly introduces the analysis of str_replace replacement vulnerability in php. It has certain reference value. Now I share it with everyone. Friends in need can refer to it

Definition and usage
str_replace() function uses a string to replace other characters in a string.
Syntax
str_replace(find,replace,string,count)
Parameter Description
find Required. Specifies the value to look for.
replace required. Specifies the value to replace the value in find.
string required. Specifies the string to be searched for.
count Optional. A variable counting the number of substitutions.
Tips and Notes
Note: This function is case-sensitive. Please use str_ireplace() to perform a case-insensitive search.
Note: This function is binary safe.
Example 1

<?php 
echo str_replace("world","John","Hello world!"); 
?>

Output:

Hello John!

Example 2
In this example, we will demonstrate the str_replace() function with array and count variables:

<?php 
$arr = array("blue","red","green","yellow"); 
print_r(str_replace("red","pink",$arr,$i)); 
echo "Replacements: $i"; 
?>

Output:

Array 
( 
[0] => blue 
[1] => pink 
[2] => green 
[3] => yellow 
) 
Replacements: 1

Example 3

<?php 
$find = array("Hello","world"); 
$replace = array("B"); 
$arr = array("Hello","world","!"); 
print_r(str_replace($find,$replace,$arr)); 
?>

Output:

Array 
( 
[0] => B 
[1] => 
[2] => ! 
)

Vulnerability related functions:

<?php 
$arr1 = Array(  
&#39;http://img.jb51.net/img/offer/29/24/70/20/29247020&#39;, 
&#39;http://img.jb51.net/img/offer/29/24/70/20/29247020-1&#39;, 
&#39;http://img.jb51.net/img/offer/29/24/70/20/29247020-2&#39; 
); 
$arr2 = Array( 
&#39;http://localhost/root/ups/af48056fc4.jpg&#39;, 
&#39;http://localhost/root/ups/cf33240aa3.jpg&#39;, 
&#39;http://localhost/root/ups/c30e40419b.jpg&#39; 
); 
$data = &#39; 
<img  src="/static/imghwm/default1.png"  data-src="http://img.jb51.net/img/offer/29/24/70/20/29247020"  class="lazy"  / alt="Analysis on str_replace substitution vulnerability in php" > 
<img  src="/static/imghwm/default1.png"  data-src="http://img.jb51.net/img/offer/29/24/70/20/29247020-1"  class="lazy"  / alt="Analysis on str_replace substitution vulnerability in php" > 
<img  src="/static/imghwm/default1.png"  data-src="http://img.jb51.net/img/offer/29/24/70/20/29247020-2"  class="lazy"  / alt="Analysis on str_replace substitution vulnerability in php" >&#39;; 
$data = str_replace($arr1,$arr2,$data); 
var_dump($data); 
?>

The result after replacement is:

string(169) ""The declaration of str_replace function is probably like this: str_replace($search, $replace, $input[,&$count]), for example, when replacing a string , $input is the source string (called the data source). This is unreasonable because it puts the data source in the third position, while str_pos, strtok, str_repeat and other functions all put the data source in the first position. In other words, str_replace does not replace the corresponding string in the array, but replaces the first one in the array, and then merges the remaining strings with the same string.

Solution:

function strrplace($arr1,$arr2,$data){ 
if(is_array($arr1)) {  
foreach($arr1 as $key => $value)  {
   $data = str_replace_once($value, $arr2[$key], $data);
  } } 
return $data;
}
function str_replace_once($needle, $replace, $data) //替换第一次
{
$pos = strpos($data, $needle);
if ($pos === false) {
return $data; 
}
return substr_replace($data, $replace, $pos, strlen($needle));
}

The above is the entire content of this article. I hope it will be helpful to everyone’s study. For more related content, please pay attention to the PHP Chinese website!

Related recommendations:

Analysis of filter_var() function and Filter function in PHP

About PHP intercepting strings Summary of some methods

The above is the detailed content of Analysis on str_replace substitution vulnerability in php. For more information, please follow other related articles on the PHP Chinese website!