function foo($x) { $y = user_input(); if ($y) { //return -98; } else { return "hello"; } return "wow"; }
break; default: $type = gettype($compare); } } elseif ($type === 'equal') { $type = gettype($compare); } // do the check if ($type === 'length' || $type === 'scalar') { $is_scalar = is_scalar($var); if ($is_scalar && $type === 'length') { return (bool) strlen($var); } return $is_scalar; } if ($type === 'numeric') { return is_numeric($var); } if (gettype($var) === $type) { return true; } return false; } $var = user_input(); // symbolic $type = user_input(); // symbolic $compare = user_input(); // symbolic $result = PMA_isValid($var, $type, $compare); label("after-call");
<?php /** An example using symbolic execution. (1) Compile => 'kompile php.k --backend symbolic' (2) Run the program with a symbolic integer as input (note that only a single path is chosen): => 'krun --parser="java -jar parser/parser.jar" -cPC="true" // -cIN='ListItem(#symInt(x))' examples/hello-world/hello-world-symbolic.php' (3) Run the program with a symbolic integer, showing all paths: => 'krun --parser="java -jar parser/parser.jar" -cPC="true" --search // -cIN='ListItem(#symInt(x))' examples/hello-world/hello-world-symbolic.php' Note the <pathCondition> cell which was automatically added to the configuration. */ $input = user_input(); // accepts symbolic input from command line if ($input == 0) { echo "Hello\n"; } else { echo "World\n"; }
function sil_dictionary_main() { run_user_action(); user_input(); }
<?php /* 1: kompile php.k --backend symbolic --symbolic-rules step --transition step 2: "when given an input =/=0 , function foo returns an integer" krun examples/LTL-symbolic/handwritten/types-fun2.php --parser="java -jar parser/parser.jar" -cPC="#symInt(input) ==Int 0" -cIN='ListItem(#symInt(input))' --ltlmc='<>Ltl (lab("after-call") /\Ltl hasType(gv(variable("result")),int))' 3: "the function will return int or string" krun examples/LTL-symbolic/handwritten/types-fun2.php --parser="java -jar parser/parser.jar" -cPC="true" -cIN='ListItem(#symInt(input))' --ltlmc='<>Ltl (lab("after-call") /\Ltl (hasType(gv(variable("result")),string) \/Ltl hasType(gv(variable("result")),int))) */ function foo($in) { if ($in == 0) { $result = 123; } else { $result = "a string"; } return $result; } $result = foo(user_input()); label("after-call");
* Check whether serialized data is of string type. * * @since 2.0.5 * * @param mixed $data Serialized data * @return bool False if not a serialized string, true if it is. */ function is_serialized_string($data) { // if it isn't a string, it isn't a serialized string if (!is_string($data)) { return false; } //$data = trim( $data ); $length = strlen($data); if ($length < 4) { return false; } elseif (':' !== $data[1]) { return false; } elseif (';' !== $data[$length - 1]) { return false; } elseif ($data[0] !== 's') { return false; } elseif ('"' !== $data[$length - 2]) { return false; } else { return true; } } $result = is_serialized_string(user_input()); label("after-call");
<?php /* Symbolic execution example. compile : 'kompile php.k --backend-symbolic --symbolic-rules "step"' run : krun examples/LTL-symbolic/handwritten/2.php -cPC="true" -cIN="ListItem(#symInt(x))" --parser="java -jar parser/parser.jar" --search */ $x = user_input(); if ($x < 0) { echo "negative\n"; } else { echo "positive or zero\n"; }
// perform the other $count - 1 iterations for ($j = 1; $j < $count; $j++) { $xorsum ^= $last = hash_hmac($algorithm, $last, $password, true); } $output .= $xorsum; } if ($raw_output) { return substr($output, 0, $key_length); } else { return bin2hex(substr($output, 0, $key_length)); } } $algo = "sha1"; $pass = user_input(); // symbolic input $salt = user_input(); // symbolic input $count = 1; $key_len = 16; $result = pbkdf2($algo, $pass, $salt, $count, $key_len); label("after-call"); function strtolower($s) { return $s; } function in_array($x, $array) { foreach ($array as $elem) { if ($x == $elem) { return true; }
* in Moodle) * * @param string $size size * * @return integer $size */ function PMA_getRealSize($size = 0) { /* if (! $size) { return 0; } */ $scan['gb'] = 1073741824; //1024 * 1024 * 1024; $scan['g'] = 1073741824; //1024 * 1024 * 1024; $scan['mb'] = 1048576; $scan['m'] = 1048576; $scan['kb'] = 1024; $scan['k'] = 1024; $scan['b'] = 1; foreach ($scan as $unit => $factor) { if (strlen($size) > strlen($unit) && substr($size, strlen($size) - strlen($unit)) == $unit) { return substr($size, 0, strlen($size) - strlen($unit)) * $factor; } } return $size; } $in = user_input(); echo PMA_getRealSize($in) . "\n";
<!DOCTYPE html> <html> <head> <title>P2 Allman</title> <link href="p2.css" rel="stylesheet" type="text/css"> </head> <body> <?php $qWords = $qSymbols = $qNumbers = 0; if ($_SERVER["REQUEST_METHOD"] == "POST") { $qWords = user_input($_POST["qWords"]); $qSymbols = user_input($_POST["qSymbols"]); $qNumbers = user_input($_POST["qNumbers"]); } function user_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <form method = 'POST' action = 'index.php' onsubmit = "return valdiateForm" > <fieldset> <table>
<?php /* compile : 'kompile php.k --backend-symbolic --symbolic-rules "step"' run : 'krun examples/LTL-symbolic/handwritten/4.php -cPC="true" -cIN="ListItem(#symInt(x))" --parser="java -jar parser/parser.jar" --search' */ $a = array("a" => 0, "b" => 1); $k = user_input(); if ($k == "bc") { echo $a[$k]; }