Avoid potential command injections

Docs > Code Analysis > Static Analysis Rules > Avoid potential command injections

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: php-security/command-injection

Language: PHP

Severity: Error

Category: Security

CWE: 78

Description

Command injection vulnerabilities occur when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this case, the attacker could execute arbitrary commands on the host operating system.

A command injection vulnerability could lead to data loss, corruption, or unauthorized access to sensitive data.

Always sanitize and validate user input before using it in a system command and avoid directly incorporating user input into system commands where possible.

Non-Compliant Code Examples

<?php
function check($host, $dir) {
    system("ping -n 3 " . $host);
    $out = null;
    $ret = null;
    exec('ls -lah'.$dir, $out, $ret);
}

Compliant Code Examples

<?php
function check() {
    system("ping -n 3 domain");
    $out = null;
    $ret = null;
    exec('ls -lah dir', $out, $ret);
}