Command Injection Security Check

Analyze PHP code for OS command injection vulnerabilities (OWASP A03:2021).

Detection Patterns

1. Direct Command Execution with User Input

// CRITICAL: shell_exec with user input
$output = shell_exec("ls " . $_GET['dir']);
$output = shell_exec("ping -c 3 {$host}");

// CRITICAL: exec with user input
exec("convert " . $filename . " output.png", $output);
exec("grep '$search' /var/log/app.log");