Shell command fed directly by request input
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
The backtick shell-exec operator or exec() runs a command built from $_GET/$_POST/$_REQUEST/$_COOKIE/$_SERVER, which is direct OS command injection: the request can append arbitrary shell syntax.
Why it matters
Passing request data into a backtick shell-exec expression or exec() hands the request a way to inject shell syntax, chaining in additional commands with characters like ; or |. Command injection in a PHP request handler is routinely used to gain a full remote shell on the host.
How to fix it
Avoid invoking a shell with request data entirely where possible. If a value from the request must be used, wrap it with escapeshellarg() as its own argument (not concatenated into a larger command string) and prefer the array-argument form via proc_open, or replace the shell call with a native PHP function that does the same job without spawning a process.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo