rspec/rules/S5334/php/how-to-fix-it/core.adoc

== How to fix it in Core PHP

=== Code examples

The following code is vulnerable to arbitrary code execution because it
builds and dynamically runs PHP code based on untrusted data.

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
$operation = $_GET['operation'];
eval("product_${operation}();"); // Noncompliant
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
$allowed = ["add", "remove", "update"];
$operation = $allowed[$_GET["operationId"]];
if ($operation !== "") {
    eval("product_${operation}();");
}
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/parameters.adoc[]

include::../../common/fix/allowlist.adoc[]

The compliant code example uses such a binding approach.
Add checks for education format (#1607) 2023-03-07 17:16:47 +01:00			`== How to fix it in Core PHP`

			`=== Code examples`
Modify rule S5334: Changing text to the education framework format[PHP][APPSEC-236] (#1383) 2022-11-10 10:54:31 +01:00
			`The following code is vulnerable to arbitrary code execution because it`
			`builds and dynamically runs PHP code based on untrusted data.`

			`==== Noncompliant code example`

			`[source,php,diff-id=1,diff-type=noncompliant]`
			`----`
			`$operation = $_GET['operation'];`
			`eval("product_${operation}();"); // Noncompliant`
			`----`

			`==== Compliant solution`

			`[source,php,diff-id=1,diff-type=compliant]`
			`----`
			`$allowed = ["add", "remove", "update"];`
			`$operation = $allowed[$_GET["operationId"]];`
			`if ($operation !== "") {`
			`eval("product_${operation}();");`
			`}`
			`----`

			`=== How does this work?`

			`include::../../common/fix/introduction.adoc[]`

			`include::../../common/fix/parameters.adoc[]`

			`include::../../common/fix/allowlist.adoc[]`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`The compliant code example uses such a binding approach.`