33 lines
783 B
Plaintext
33 lines
783 B
Plaintext
|
=== How to fix it in Core PHP
|
||
|
|
|
||
|
|
The following code is vulnerable to arbitrary code execution because it
|
||
|
|
builds and dynamically runs PHP code based on untrusted data.
|
||
|
|
|
||
|
|
==== Noncompliant code example
|
||
|
|
|
||
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
||
|
|
----
|
||
|
|
$operation = $_GET['operation'];
|
||
|
|
eval("product_${operation}();"); // Noncompliant
|
||
|
|
----
|
||
|
|
|
||
|
|
==== Compliant solution
|
||
|
|
|
||
|
|
[source,php,diff-id=1,diff-type=compliant]
|
||
|
|
----
|
||
|
|
$allowed = ["add", "remove", "update"];
|
||
|
|
$operation = $allowed[$_GET["operationId"]];
|
||
|
|
if ($operation !== "") {
|
||
|
|
eval("product_${operation}();");
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
=== How does this work?
|
||
|
|
|
||
|
|
include::../../common/fix/introduction.adoc[]
|
||
|
|
|
||
|
|
include::../../common/fix/parameters.adoc[]
|
||
|
|
|
||
|
|
include::../../common/fix/allowlist.adoc[]
|
||
|
|
|
||
|
|
The compliant code example uses such a binding approach.
|