1.2.571. Indirect Injection

This rule reports injections through indirect usage of $_GET, $_POST, $_REQUEST, $_COOKIE values. The injection is indirect, as the incoming data may be stored in different container before reaching the sensitive call.

Sensitive parameters are identified with Security/SensitiveParameter rule.

<?php

$a = $_GET['a'];
echo $a;

function foo($b) {
    echo $b;
}
foo($_POST['c']);  // $_POST is propagated to the foo function

?>

1.2.571.1. Suggestions

• Always validate incoming values before using them.

1.2.571.2. Specs

Short name	Security/IndirectInjection
Rulesets	All, Changed Behavior, Security
Exakat since	0.8.4
PHP Version	All
Severity	Critical
Time To Fix	Slow (1 hour)
Precision	High
Features	injection
Available in	Entreprise Edition, Exakat Cloud