Q
Detector Library
PHP detectors (34/34)
Server Side Request ForgerySQL InjectionActivated Debug FeatureSensitive information leakLog InjectionOrigins-verified cross-origin communicationsCross-site scriptingDangerous Function UsagePath TraversalAvoiding Exceptions in PHPOS command injectionIncorrect ComparisonLdap Bind Without PasswordSendfile InjectionAssert UseLoose file permissionsImproper AuthenticationInsecure connectionWeak Random Number GenerationOpen RedirectAllow Url Fopen Or IncludeInsecure cryptographyObject Input Stream Insecure DeserializationCookie Without Http Only FlagCode InjectionZip bomb attackUnsafe ReflectionSecure Signal HandlingDeserialization of untrusted dataStatic Initialization Vector (IV)Coral Csrf RuleInsecure cookieImproper access controlInsecure Object Attribute Modification
OS command injection High
OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed.
Detector ID
php/os-command-injection@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1$username = $_COOKIE['username'];
2// Noncompliant: Incorporating variable into command strings
3exec("wto -n \"$username\" -g", $ret);Compliant example
1$fullpath = $_POST['fullpath'];
2// Compliant: escapeshellarg() is used to prevent command injection
3$filesize = trim(shell_exec('stat -c %s ' . escapeshellarg($fullpath)));