--- title: Prevent injection through include statements description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Prevent injection through include statements --- # Prevent injection through include statements {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `php-security/include-injection` **Language:** PHP **Severity:** Info **Category:** Best Practices **CWE**: [78](https://cwe.mitre.org/data/definitions/78.html) ## Description{% #description %} This rule aims to prevent code injection vulnerabilities that arise from dynamically including files through `include`, `include_once`, `require`, or `require_once` statements. Including files based on untrusted or user-supplied input can lead to arbitrary code execution, allowing attackers to inject malicious scripts into the application. To avoid violations of this rule, developers should avoid directly using user input in include statements without proper validation or sanitization. Instead, use predefined constants, fixed paths, or whitelist allowed file names. When dynamic paths are necessary, validate them rigorously or use safe abstractions to ensure only intended files are included. For example, instead of `include($_GET['page']);`, use a mapping of allowed pages or sanitize the input before including: `include(__DIR__ . '/pages/' . basename($_GET['page']) . '.php');`. This approach reduces the risk of injection through include statements. ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```php ``` ```php ``` ## Compliant Code Examples{% #compliant-code-examples %} ```php ``` Seamless integrations. Try Datadog Code SecurityDatadog Code Security {% icon name="icon-external-link" /%}