Warm tip: This article is reproduced from stackoverflow.com, please click
backticks php shell string

What are the rules of string manipulation when using backticks (grave accents)?

发布于 2020-11-21 03:41:30

In PHP when you write a set a variable equal to a string wrapped in grave accents, it gets executed as it would if it were inside a shell_exec() command. What does the grave accent symbol (`) ( not single quote) represent in PHP?

So, in php you can do all sorts of things to combine strings with variables, etc, what can I and can't I do when using ` instead of ' or " ?

Questioner
Kristian
Viewed
5
jnrbsn 2012-05-31 03:15

In the PHP, that character is called a backtick operator.

A literal string wrapped in backticks is a T_ENCAPSED_AND_WHITESPACE token. You can confirm this by running something like this:

print_r(token_get_all('<?php `uname`;'));

which gives you this:

Array
(
    [0] => Array
        (
            [0] => 367
            [1] => <?php 
            [2] => 1
        )

    [1] => `
    [2] => Array
        (
            [0] => 313
            [1] => uname
            [2] => 1
        )

    [3] => `
    [4] => ;
)

And then run token_name(313) which gives you T_ENCAPSED_AND_WHITESPACE.

To the parser, a string wrapped in backticks is equivalent to a string with variables in it like "hello $world". The literal/constant part of the string (the hello part) is T_ENCAPSED_AND_WHITESPACE.

So to answer your question, anything that you can do to a string that contains variables you can do to a string wrapped in backticks.

So why T_ENCAPSED_AND_WHITESPACE? Probably, because like a string containing variables, it's value is determined at runtime. Whereas a T_CONSTANT_ENCAPSED_STRING (a normal literal string) is kind of like a constant in the eyes of the parser.