When you execute shell commands with user-defined inputs in PHP, it leaves your application open to shell injection attacks. In these attacks, a malicious user can manipulate the input to execute arbitrary shell commands, which can lead to unauthorized access, data leakage, or even system compromise.
To ensure the safety of your application, it’s important to avoid using user-defined input directly in shell commands. Instead, use built-in PHP functions that can perform the required task without the need for executing shell commands. If there’s a need to use shell commands, make sure to sanitize and validate the user input thoroughly before using it.
Non-Compliant Code Examples
<?phpecho`ping -n 3 {$user_input}`;
Compliant Code Examples
<?phpecho`ping -n 3 domain.tld`;
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- php-security # Rules to enforce PHP security.