1.2.353. Direct Injection¶
The following code act directly upon PHP incoming variables like
$_GET
and$_POST
. This makes those snippets very unsafe.
<?php
// Direct injection
echo "Hello ".$_GET['user'].", welcome.";
// less direct injection
foo($_GET['user']);
function foo($user) {
echo "Hello ".$user.", welcome.";
}
?>
See also Cross-Site Scripting (XSS).
1.2.353.1. Suggestions¶
Validate input : make sure the incoming data are what you expect from them.
Escape output : prepare outgoing data for the next system to use.
1.2.353.2. Specs¶
Short name |
Security/DirectInjection |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Features |
injection |
Available in |