PHP Code Injection

Risk type:HIGH


PHP code injection vulnerability allows the attacker to insert malicious PHP code straight into a program/script from some outside source. Added code is a part of the application itself with the same permissions as application.


Let's assume that the PHP script named "script.php" could be found on the following link:

The page has the following vulnerable code:

... html header ...
include ('$page');
... html footer ...

The attacker could have a malicious code script ("malicious.php") on some website:

Code within that script, that the attacker wants to inject, could look like:


The attacker could inject malicious code using the following URL in a browser:

The end result would have exploited website execute the command phpinfo() within the "script.php".


  • Proper input variables validation.
  • Use a whitelist of acceptable inputs that strictly conform to specifications.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules.
  • Check for invalid characters and set up all the page files in a separate directory.
  • Use library calls rather than external processes to recreate the desired functionality.

Further reading: