1.2.571. Indirect Injection¶
Sensitive parameters are identified with Security/SensitiveParameter rule.
<?php
$a = $_GET['a'];
echo $a;
function foo($b) {
echo $b;
}
foo($_POST['c']); // $_POST is propagated to the foo function
?>
1.2.571.1. Suggestions¶
Always validate incoming values before using them.
1.2.571.2. Specs¶
Short name |
Security/IndirectInjection |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Critical |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Features |
injection |
Available in |