rspec/rules/S5334/php/how-to-fix-it/core.adoc

== How to fix it in Core PHP

=== Code examples

The following code is vulnerable to arbitrary code execution because it
builds and dynamically runs PHP code based on untrusted data.

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
$operation = $_GET['operation'];
eval("product_${operation}();"); // Noncompliant
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
$allowed = ["add", "remove", "update"];
$operation = $allowed[$_GET["operationId"]];
if ($operation !== "") {
    eval("product_${operation}();");
}
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/parameters.adoc[]

include::../../common/fix/allowlist.adoc[]

The compliant code example uses such a binding approach.