Web applications that are dynamic in nature may use scripts to invoke some functionality in the command line on the web server to process the input received from the user. An attacker would try to get its input processed at the command line by circumventing the input validation filters implemented by the application. Command injection usually invokes commands on the same web server, but it is possible that the command could be executed on a different server depending on the architecture of the application.

Let's look at a simple snippet of code vulnerable to command injection flaw. This is an example of an online book store application that takes input from the user and displays the list of the book in that specific genre. The input is passed using the GET method, which maps to a directory name on the server and the file listed in that directory is displayed:

<?php
  print("Specify the genre of book that you want to be listed");
  print("<p>");
  $Genre=$_GET['userinput...