Insecure Use of Language/Framework API
This category covers the following PHP APIs:
Why is this important?
PHP, like any other programming language, has dangerous APIs. If these APIs are not used properly, it can have a catastrophic impact on your app. There are several APIs that can allow attackers to cause unintended behavior for your application.
Read below to find out how to fix this issues in your code.
Fixing Insecure Use of Function handling Functions
The following methods are dangerous if used incorrectly:
create_function
call_user_func
call_user_func_array
forward_static_call
forward_static_call_array
function_exists
register_shutdown_function
register_tick_function
Option A: Avoid User Input in Function handling Functions
Go through the issues that GuardRails identified in the PR
An example of an insecure usage of
create_function()
is shown below// Note: create_function is also deprecated as of PHP 7.2.0
create_function($_GET['func']);Remove the user input from this
Create a normal function that handles user input as arguments
Ship it 🚢 and relax 🌴