Due to numerous comments published (at the time the question was asked by me), I believe there is some doubt as to the PHP Injection. So I’ll explain some points.

What is PHP Injection?

It is a form of attack where the attacker uses a PHP script to attack an application written in PHP.

According to Google:

[...] PHP Injection is a technique used on the Internet consisting of injecting malicious scripts, making the page vulnerable the control of the attacker [...]

Generally, this type of attack consolidates when the developer leaves loopholes in upload forms. For example, the malicious person can send a PHP script through that form and then run it.

The result could be disastrous if the attacker manages to list directories, delete files, steal sensitive data, etc...

Send like this, PHP Injection has no relation to SQL Injection, as some had pointed out in previous comments.

And the SQL Injection?

SQL Injection is an attack that consists of inserting (known as injection) a query via web application.

That is, there is no direct relationship with the PHP Injection.

Ways to avoid PHP Injection

Be careful when uploading!

As stated earlier, one of the biggest ways of this attack is through upload forms, where the attacker manipulates the uploaded content (usually by sending an unexpected PHP script on the server) and, through it, has access to server information.

Avoid the eval

Another dangerous thing about PHP Injection is the use of the function eval, which has the power to make a string in a valid PHP code.

See more information about eval in the question below:

• Eval is either good or bad?

Beware as the modifier e of function preg_replace

Recently, PHP deprecated the modifier e of function preg_replace, because this modifier could use a valid PHP code as a return, being also used by attackers.

See that the preg_replace and the modifier e this question caused some problems for the developer:

• What the code below (written by a Cracker) does?

In this question asked by @Rodrigoborth, it is clear that the code was injected by a Cracker into the server where his application is.

Although it has been deprecated, it is good to keep an eye out for older library versions or legacy applications that might use this modifier.

Null Byte Attack

It seems that the Null Byte Attack also was a problem in PHP in previous versions too.

See more about this here:

• What is Null Byte Injection? How to Prevent It?

SQL Injection is related to PHP Injection ?

No. These are different matters and, in each case, the safety care should be different.

See the SQL Injection section below to draw your conclusions about the differences:

• How to prevent SQL code injection into my PHP code?

What not to confuse?

Another thing is to confuse Ataque XSS with PHP Injection. XSS can be done in any other language that does not take proper care. PHP Injection is something specific to PHP.

Just to contribute to the discussion and given that I went through this bad experience on a site I administer I will detail the incident.

On this site the user is allowed to send ZIP files and images (JPG/PNG). Well, an unfortunate uploaded a JPG file that was actually not an image but a PHP script, it simply changed its extension, moved the file with an image header obviously but at the end of the file there is a php script that created a remote access console with the name of copyright.php , from there he could list the files of the server and consequently see them in detail (with right to connection to the database).

It took work to identify this, fix it was simple but see the php Injection It’s been a lot of work going on, and we never thought you’d imagine it. The interesting thing is that he also used a text browser to visit the image, to come a binary header and then the code to be shown in the browser.