Code Injection

A CODE injection is a vulnerability, where external data is used as PHP code.

In the example below, $_GET is directly used in the eval() function. By using a clever string (shown in comment), it is possible to assign the variable, and run the phpinfo() command.

Among the solutions to mitigate this problem: filter adequately the incoming data; use prepared statements.

Some PHP functions are sensitive to this kind of attack: eval(), include(), include_once(), require(), require_once(). Dynamic calls are also susceptible of code injection.

<?php

// $_GET['x'] = '1; phpinfo()';
eval($myvar = $x);

// $_GET['method'] = 'getSafe';
// Any method may be called on the safe object
$data->$method();

?>

See also PHP Security 2: Directory Traversal & Code Injection and PHP code injection.

Related : Eval(), Inclusions, Dynamic Call, Execution, Injection