Avoid potential command injections
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: php-security/command-injection
Language: PHP
Severity: Error
Category: Security
CWE: 78
Description
Command injection vulnerabilities occur when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this case, the attacker could execute arbitrary commands on the host operating system.
A command injection vulnerability could lead to data loss, corruption, or unauthorized access to sensitive data.
Always sanitize and validate user input before using it in a system command and avoid directly incorporating user input into system commands where possible.
Non-Compliant Code Examples
<?php
function check($host, $dir) {
system("ping -n 3 " . $host);
$out = null;
$ret = null;
exec('ls -lah'.$dir, $out, $ret);
}
Compliant Code Examples
<?php
function check() {
system("ping -n 3 domain");
$out = null;
$ret = null;
exec('ls -lah dir', $out, $ret);
}
