PHP backticks in GET/POST request

Question

Using PHP 5.6, I stumbled upon the command execution via backticks and I was wondering how that could prove to be a vulnerability in PHP powered websites.

I can understand that the following code:

<?php
$output = `ls -al`;
echo "<pre>$output</pre>";
?>

allows the $output variable contents to be executed in shell.

My question now is, are the backticks needed to be hardcoded around the variable value or can they be also part of the value?

For example, in the previous code block the backticks are hardcoded around the value but what if the $output variable was set via a GET/POST REQUEST like so:

http://example.com/index.php?arg=`exec code`

or

http://example.com/index.php?arg=%60exec%20code%60

and in php:

<?php
$output = $_REQUEST['arg']
echo "<pre>$output</pre>";
?>

Is that vulnerable code?

Thank you in advance

Answer 1

Special characters in user input are not evaluated unless you do something to evaluate them.

That means injecting the string into context where it will be evaluated (e.g. the eval function for evaluate as PHP, mysqli::query() where it will be evaluated as SQL by the database server, or <script> where it will be evaluated as JS by the browser.