Avoid potential command injections

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/command-injection

Language: PHP

Severity: Error

Category: Security

CWE: 78

Description

Command injection vulnerabilities occur when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this case, the attacker could execute arbitrary commands on the host operating system.

A command injection vulnerability could lead to data loss, corruption, or unauthorized access to sensitive data.

Always sanitize and validate user input before using it in a system command and avoid directly incorporating user input into system commands where possible.

Non-Compliant Code Examples

<?php
function check($host, $dir) {
    system("ping -n 3 " . $host);
    $out = null;
    $ret = null;
    exec('ls -lah'.$dir, $out, $ret);
}

Compliant Code Examples

<?php
function check() {
    system("ping -n 3 domain");
    $out = null;
    $ret = null;
    exec('ls -lah dir', $out, $ret);
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis