1.2.353. Direct Injection

The following code act directly upon PHP incoming variables like $_GET and $_POST. This makes those snippets very unsafe.

<?php

// Direct injection
echo "Hello ".$_GET['user'].", welcome.";

// less direct injection
foo($_GET['user']);
function foo($user) {
    echo "Hello ".$user.", welcome.";
}

?>

See also Cross-Site Scripting (XSS).

1.2.353.1. Suggestions

  • Validate input : make sure the incoming data are what you expect from them.

  • Escape output : prepare outgoing data for the next system to use.

1.2.353.2. Specs

Short name

Security/DirectInjection

Rulesets

All, Changed Behavior, Security

Exakat since

0.8.4

PHP Version

All

Severity

Major

Time To Fix

Quick (30 mins)

Precision

High

Features

injection

Available in

Entreprise Edition, Exakat Cloud