ExpertRefresh

Remote code injection

How do you protect against Remote Code Injection?






Remote Code Injection

// Defence: Never using tainted data in an include or require // allow_url_fopen = 0 (default) A remote code injection attack occurs when an attacker is able to cause your application to execute PHP code of their choosing.
<?php ini_set("allow_url_fopen", 1); // dfault 0 include "{$_GET['section']}/data.inc.php"; // // include "news/data.inc.php"; // // include "";
It is easy to protect against it by filtering all input and never using tainted data in an include or require statement. By default, allow_url_fopen is set to On.
<?php $clean = array(); $sections = array('home', 'news', 'photos', 'blog'); if (in_array($_GET['section'], $sections)) { $clean['section'] = $_GET['section']; } else { $clean['section'] = 'home'; } include "{clean['section']}/data.inc.php";