Reputation: 1202
CodeIgniter: OS Command Injection
Is there a way in CodeIgniter to prevent OS command injection automatically? I am aware of all the other protection CI has, but cannot find any material about OS Command Injection.
EDIT after comments received:
We are developing a web app that we are developing, will be hosted inside a large internal network where they have strict security policies that we will need to adhere to. One of them is OS Command Injection protection. They are afraid that users will run OS Commands through input fields. Is this possible, and how do I prevent this?
Upvotes: 1
Views: 1345
Answers (2)
Reputation: 336
CodeIgniter has features for preventing SQL Injection but not Command Injections. There are 3 ways to prevent attack from url:
Set limited user permission to runs web application. Make sure he won't be able to write or execute out of control.
Disable php functions in disable_functions in php.ini.
Install Suhosin 수호신 which is a PHP security extension and stop eval(). Because eval() is a construct not a function, you cannot disable with disable_functions in php.ini.
Check my command injection attack in Check And Solve If Your QNAP NAS Has been Injected a CPUMiner Program. It contains not only shell_exec() but also eval().
Upvotes: 0
Reputation: 26415
CodeIgniter doesn't run shell commands, which is a pretty easy way to prevent command injection. If you are adding shell command execution to the web app you are creating you will need to take care of preventing command injection yourself.
Upvotes: 2
Related Questions
- How Is The Correct Way To Use CLI Command In Codeigniter 4 To Execute Controller
- PHP Error encountered when running Command Line using CodeIgniter 2.xx
- Codeigniter php: SQL injection prevent
- Codeigniter SQL Injection
- Codeigniter CLI access without arguments
- Code injection with PHP
- Access codeigniter controller from command line
- Codeigniter 2 restrict controller to command line
- PHP Code Injection
- SQL Injection and Codeigniter