← Back to All Scanners
Injection AttacksCritical Severity

Code Injection - PHP Scanner

Tests for PHP code injection through eval() and similar functions.

Try This Scanner

What is Code Injection - PHP?

PHP Code Injection occurs when untrusted user input is passed to functions that execute PHP code, such as eval(), assert(), preg_replace() with /e modifier, create_function(), or include/require with user-controlled paths. This allows attackers to execute arbitrary PHP code on the server.

Why is This Important?

PHP code injection provides complete control over the web application and server. Attackers can execute system commands, access databases, modify files, steal credentials, install backdoors, and compromise other applications on the same server. PHP's ubiquity in web hosting makes this a widespread threat.

How It Works

1. Input Discovery

Maps all user input points including forms, headers, cookies, and API parameters for injection testing.

2. Injection Testing

Executes sophisticated injection payloads designed to bypass filters and WAFs while detecting vulnerabilities.

3. Exploitation Validation

Confirms vulnerabilities through safe exploitation, providing proof-of-concept and impact assessment.

Key Capabilities

Advanced injection detection engine combining signature-based and AI-powered analysis for comprehensive coverage.

  • Multi-vector injection testing across all input types
  • WAF and filter bypass techniques built-in
  • Database-specific payload optimization
  • Out-of-band detection for blind vulnerabilities
  • Automated proof-of-concept generation

Frequently Asked Questions

What PHP functions are vulnerable to code injection?

Dangerous functions include: eval(), assert(), preg_replace() with /e (deprecated), create_function() (deprecated), array_map/filter/walk with callable strings, unserialize() with magic methods, and dynamic includes (include/require with user input).

How do attackers exploit PHP code injection?

Attackers inject PHP code that will be executed, often calling system(), shell_exec(), or passthru() for command execution. Common payloads include web shells, reverse shells, or code to read configuration files containing database credentials.

Can PHP configuration prevent code injection?

disable_functions can block dangerous functions but has bypasses. open_basedir restricts file access. suhosin (legacy) added protections. However, the best defense is not using dangerous functions. Modern PHP has deprecated some dangerous functions.

How do I prevent PHP code injection?

Never use eval() or similar functions with user input, avoid deprecated functions like create_function(), use prepared statements instead of dynamic queries, validate all include/require paths, disable dangerous functions in php.ini, and use static analysis tools.

Related Scanners

NoSQL Injection - MongoDBCritical
Learn more →
NoSQL Injection - RedisCritical
Learn more →
NoSQL Injection - CouchDBCritical
Learn more →
NoSQL Injection - CassandraCritical
Learn more →

Ready to secure your application?

Start testing for code injection - php vulnerabilities today.

Get Started Free