Avoid executing shell commands with arbitrary input

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > Avoid executing shell commands with arbitrary input

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: php-security/avoid-backticks

Language: PHP

Severity: Error

Category: Security

CWE: 94

Description

When you execute shell commands with user-defined inputs in PHP, it leaves your application open to shell injection attacks. In these attacks, a malicious user can manipulate the input to execute arbitrary shell commands, which can lead to unauthorized access, data leakage, or even system compromise.

To ensure the safety of your application, it’s important to avoid using user-defined input directly in shell commands. Instead, use built-in PHP functions that can perform the required task without the need for executing shell commands. If there’s a need to use shell commands, make sure to sanitize and validate the user input thoroughly before using it.

Non-Compliant Code Examples

<?php
echo `ping -n 3 {$user_input}`;

Compliant Code Examples

<?php
echo `ping -n 3 domain.tld`;