---
title: Avoid potential command injections
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid potential command injections
---

# Avoid potential command injections

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `php-security/command-injection`

**Language:** PHP

**Severity:** Error

**Category:** Security

**CWE**: [78](https://cwe.mitre.org/data/definitions/78.html)

## Description{% #description %}

Command injection vulnerabilities occur when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this case, the attacker could execute arbitrary commands on the host operating system.

A command injection vulnerability could lead to data loss, corruption, or unauthorized access to sensitive data.

Always sanitize and validate user input before using it in a system command and avoid directly incorporating user input into system commands where possible.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```php
<?php
function check($host, $dir) {
    system("ping -n 3 " . $host);
    $out = null;
    $ret = null;
    exec('ls -lah'.$dir, $out, $ret);
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```php
<?php
function check() {
    system("ping -n 3 domain");
    $out = null;
    $ret = null;
    exec('ls -lah dir', $out, $ret);
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}