Server Side Code Injection - PHP Code Injection

Risk:
High

Type:
Active

CWE:
CWE-94

Summary: A code injection may be possible including custom code that will be evaluated by the scripting engine

Solution: Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side and escape all data received from the client. Avoid the use of eval() functions combined with user input data.

References

https://cwe.mitre.org/data/definitions/94.html

https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection

Free security scan for your website

Don't show website scan report rating on the leaderboard