{ "slug": "command_injection", "term": "Command Injection", "category": "security", "difficulty": "intermediate", "short": "User input passed to a shell function (exec, system, shell_exec) allows arbitrary OS command execution.", "long": "Command injection occurs when user-controlled data is incorporated into a shell command without sanitisation. Attackers can append additional commands using shell metacharacters (;, |, &&) to run arbitrary programs with the web server's privileges — reading files, exfiltrating data, installing backdoors, or pivoting to other systems. Prevention: avoid shell functions entirely where possible; if unavoidable, use escapeshellarg() on every argument and escapeshellcmd() on the command.", "aliases": [ "OS command injection", "shell injection", "RCE via shell" ], "tags": [ "injection", "rce", "cwe-78", "owasp-top10" ], "misconception": "escapeshellarg() makes all shell calls safe. It secures arguments but does nothing if user input appears in the command name itself. The safest approach is proc_open() with an array, which bypasses the shell entirely.", "why_it_matters": "Any user input reaching shell execution functions can run arbitrary OS commands with the web server's privileges — full server compromise from a single unvalidated parameter.", "common_mistakes": [ "Using shell_exec(), system(), or exec() with unsanitised user input even after escapeshellarg().", "Passing user-controlled arguments where escapeshellarg() is applied to the whole string but injection happens via argument structure.", "Using PHP functions that invoke a shell implicitly — preg_replace with /e modifier (removed in PHP 7), or older mail() with fifth argument.", "Not considering that command injection can occur in less obvious places like image processing CLI calls." ], "when_to_use": [], "avoid_when": [], "related": [ "escapeshellarg" ], "prerequisites": [ "escapeshellarg", "input_validation", "allowlist_vs_blocklist" ], "refs": [ "https://owasp.org/www-community/attacks/Command_Injection", "https://cwe.mitre.org/data/definitions/78.html" ], "bad_code": "$file = $_POST['filename'];\nexec(\"convert $file output.pdf\");", "good_code": "// escapeshellarg wraps in single quotes and escapes embedded quotes\n$file = escapeshellarg($_POST['filename']);\nexec('convert ' . $file . ' output.pdf');\n\n// Better: avoid shell entirely — use proc_open with an array\nproc_open(['convert', $file, 'output.pdf'], $descriptors, $pipes);", "quick_fix": "Use escapeshellarg() on every argument passed to shell_exec/exec; prefer PHP-native functions over shell commands entirely", "severity": "critical", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/command_injection", "html_url": "https://codeclaritylab.com/glossary/command_injection", "json_url": "https://codeclaritylab.com/glossary/command_injection.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Command Injection](https://codeclaritylab.com/glossary/command_injection) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/command_injection" } } } }