PHP code injection

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 PCI v3.2-6.5.1 CAPEC-242 CWE-94 HIPAA-164.306(a) ISO27001-A.14.2.5 WASC-20 WSTG-INPV-11

Code injection is an injection technique to exploit a vulnerability that is caused by processing invalid information. An attacker can introduce code into the vulnerable computer program. The resultant will change the course of execution. Successful code injection can be disastrous for the server. The server that fails to validate user data can result in Code Injection vulnerabilities properly. Attackers can inject code into a vulnerable computer program and change the course of execution.

There are servers having vulnerabilities that can lead to PHP code injection. It allows an attacker to inject custom code into the server. This vulnerability is encountered when an attacker can control all parts of an input string. The attacker can feed the input string into an eval function call. The eval function will execute the statement as a code.


When a developer uses the PHP eval() function, an attacker has the potential to modify and inject code into the application.

        //The URL to access this
        $myvar = "varname";
        $x = $_GET['arg'];
        eval("\$myvar = \$x;");
        Run on IDE


In this web application, there is no input validation.; phpinfo()

The above URL will show all the info about the PHP version.

An attacker can execute system commands by requesting the below URL.; system(‘id’)

The above URL will give the users all the processes running in the server.

        uid=33(www-data) gid=33(www-data) groups=33(www-data)



The impact include:-

  • Data loss
  • Data corruption
  • Lack of accountability
  • Denial of access attacks
  • Complete host takeover

Mitigation / Precaution

Beagle recommends to the following fixes:-

  • Properly sanitise the user input.
  • Properly validate the input variables.
  • Create a whitelist of all the acceptable inputs specific to the application.
  • During the input validation process, consider all required properties like length, type of input, missing or extra input and many more.
  • Make sure to check invalid characters.
  • Try to set up all the page files in a separate directory.
  • For recreating desired functionalities, try to implement using library calls rather than using external processes.

Latest Articles