The Dangers of Remote Execution
PHP exposes a number of different ways to include a script or evaluate a string of code, and it can issue shell commands. This power means that application developers must take special precautions to escape user input, database values, and any other untrusted data before passing it to an execution function. This is just as critical as the sanitizing of user input that we have been discussing in previous chapters—maybe even more critical.
We now describe three different kinds of possible attacks, after which we will present a number of strategies for preventing this scourge.
Injection of PHP Code
PHP offers the developer a wide variety of ways to bring scripts together at runtime, which means that there is the same ...