Reading Standard Input is security-sensitive. It has led in the past to the following vulnerabilities:

It is common for attackers to craft inputs enabling them to exploit software vulnerabilities. Thus any data read from the standard input (stdin) can be dangerous and should be validated.

This rule flags code that reads from the standard input.

Ask Yourself Whether

You are at risk if you answered yes to this question.

Recommended Secure Coding Practices

Sanitize all data read from the standard input before using it.

Questionable Code Example

// Any reference to STDIN is Questionable
$varstdin = STDIN; // Questionable
stream_get_line(STDIN, 40); // Questionable
stream_copy_to_stream(STDIN, STDOUT); // Questionable
// ...


// Except those references as they can't create an injection vulnerability.
ftruncate(STDIN, 5); // OK
ftell(STDIN); // OK
feof(STDIN); // OK
fseek(STDIN, 5); // OK
fclose(STDIN); // OK


// STDIN can also be referenced like this
$mystdin = 'php://stdin'; // Questionable

file_get_contents('php://stdin'); // Questionable
readfile('php://stdin'); // Questionable

$input = fopen('php://stdin', 'r'); // Questionable
fclose($input); // OK

See: