Code Injection

A CODE injection is a vulnerability, where external data is used as PHP code.

In the example below, $_GET is directly used in the eval() function. By using a clever string (shown in comment), it is possible to assign the variable, and run the phpinfo() command.

Among the solutions to mitigate this problem : filter adequately the incoming data; use prepared statements.

Some PHP functions are sensitive to this kind of attack : eval(), include(), include_once(), require(), require_once(). Dynamic calls are also susceptible of code injection.

<?php

// $_GET['x'] = '1; phpinfo()';
eval("$myvar = $x;");

// $_GET['method'] = 'getSafe';
// Any method may be called on the safe object
$data->$method();

?>

See also PHP Security 2: Directory Traversal & Code Injection

Related : Eval(), Inclusions, Dynamic Call