function foo($x)
{
$y = user_input();
if ($y) {
//return -98;
} else {
return "hello";
}
return "wow";
}
break;
default:
$type = gettype($compare);
}
} elseif ($type === 'equal') {
$type = gettype($compare);
}
// do the check
if ($type === 'length' || $type === 'scalar') {
$is_scalar = is_scalar($var);
if ($is_scalar && $type === 'length') {
return (bool) strlen($var);
}
return $is_scalar;
}
if ($type === 'numeric') {
return is_numeric($var);
}
if (gettype($var) === $type) {
return true;
}
return false;
}
$var = user_input();
// symbolic
$type = user_input();
// symbolic
$compare = user_input();
// symbolic
$result = PMA_isValid($var, $type, $compare);
label("after-call");
<?php
/**
An example using symbolic execution.
(1) Compile
=> 'kompile php.k --backend symbolic'
(2) Run the program with a symbolic integer as input (note that
only a single path is chosen):
=> 'krun --parser="java -jar parser/parser.jar" -cPC="true" //
-cIN='ListItem(#symInt(x))' examples/hello-world/hello-world-symbolic.php'
(3) Run the program with a symbolic integer, showing all paths:
=> 'krun --parser="java -jar parser/parser.jar" -cPC="true" --search //
-cIN='ListItem(#symInt(x))' examples/hello-world/hello-world-symbolic.php'
Note the <pathCondition> cell which was automatically added to the configuration.
*/
$input = user_input();
// accepts symbolic input from command line
if ($input == 0) {
echo "Hello\n";
} else {
echo "World\n";
}
function sil_dictionary_main()
{
run_user_action();
user_input();
}
<?php
/*
1: kompile php.k --backend symbolic --symbolic-rules step --transition step
2: "when given an input =/=0 , function foo returns an integer"
krun examples/LTL-symbolic/handwritten/types-fun2.php --parser="java -jar parser/parser.jar" -cPC="#symInt(input) ==Int 0" -cIN='ListItem(#symInt(input))' --ltlmc='<>Ltl (lab("after-call") /\Ltl hasType(gv(variable("result")),int))'
3: "the function will return int or string"
krun examples/LTL-symbolic/handwritten/types-fun2.php --parser="java -jar parser/parser.jar" -cPC="true" -cIN='ListItem(#symInt(input))' --ltlmc='<>Ltl (lab("after-call") /\Ltl (hasType(gv(variable("result")),string) \/Ltl hasType(gv(variable("result")),int)))
*/
function foo($in)
{
if ($in == 0) {
$result = 123;
} else {
$result = "a string";
}
return $result;
}
$result = foo(user_input());
label("after-call");
* Check whether serialized data is of string type.
*
* @since 2.0.5
*
* @param mixed $data Serialized data
* @return bool False if not a serialized string, true if it is.
*/
function is_serialized_string($data)
{
// if it isn't a string, it isn't a serialized string
if (!is_string($data)) {
return false;
}
//$data = trim( $data );
$length = strlen($data);
if ($length < 4) {
return false;
} elseif (':' !== $data[1]) {
return false;
} elseif (';' !== $data[$length - 1]) {
return false;
} elseif ($data[0] !== 's') {
return false;
} elseif ('"' !== $data[$length - 2]) {
return false;
} else {
return true;
}
}
$result = is_serialized_string(user_input());
label("after-call");
<?php
/*
Symbolic execution example.
compile : 'kompile php.k --backend-symbolic --symbolic-rules "step"'
run : krun examples/LTL-symbolic/handwritten/2.php -cPC="true" -cIN="ListItem(#symInt(x))" --parser="java -jar parser/parser.jar" --search
*/
$x = user_input();
if ($x < 0) {
echo "negative\n";
} else {
echo "positive or zero\n";
}
// perform the other $count - 1 iterations
for ($j = 1; $j < $count; $j++) {
$xorsum ^= $last = hash_hmac($algorithm, $last, $password, true);
}
$output .= $xorsum;
}
if ($raw_output) {
return substr($output, 0, $key_length);
} else {
return bin2hex(substr($output, 0, $key_length));
}
}
$algo = "sha1";
$pass = user_input();
// symbolic input
$salt = user_input();
// symbolic input
$count = 1;
$key_len = 16;
$result = pbkdf2($algo, $pass, $salt, $count, $key_len);
label("after-call");
function strtolower($s)
{
return $s;
}
function in_array($x, $array)
{
foreach ($array as $elem) {
if ($x == $elem) {
return true;
}
* in Moodle)
*
* @param string $size size
*
* @return integer $size
*/
function PMA_getRealSize($size = 0)
{
/*
if (! $size) {
return 0;
}
*/
$scan['gb'] = 1073741824;
//1024 * 1024 * 1024;
$scan['g'] = 1073741824;
//1024 * 1024 * 1024;
$scan['mb'] = 1048576;
$scan['m'] = 1048576;
$scan['kb'] = 1024;
$scan['k'] = 1024;
$scan['b'] = 1;
foreach ($scan as $unit => $factor) {
if (strlen($size) > strlen($unit) && substr($size, strlen($size) - strlen($unit)) == $unit) {
return substr($size, 0, strlen($size) - strlen($unit)) * $factor;
}
}
return $size;
}
$in = user_input();
echo PMA_getRealSize($in) . "\n";
<!DOCTYPE html>
<html>
<head>
<title>P2 Allman</title>
<link href="p2.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php
$qWords = $qSymbols = $qNumbers = 0;
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$qWords = user_input($_POST["qWords"]);
$qSymbols = user_input($_POST["qSymbols"]);
$qNumbers = user_input($_POST["qNumbers"]);
}
function user_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
<form method = 'POST' action = 'index.php' onsubmit = "return valdiateForm" >
<fieldset>
<table>
<?php
/*
compile : 'kompile php.k --backend-symbolic --symbolic-rules "step"'
run : 'krun examples/LTL-symbolic/handwritten/4.php -cPC="true" -cIN="ListItem(#symInt(x))" --parser="java -jar parser/parser.jar" --search'
*/
$a = array("a" => 0, "b" => 1);
$k = user_input();
if ($k == "bc") {
echo $a[$k];
}
