PHP Web Application Security Vulnerabilities

• There can't be command injection if there's no command -- do you really need to run an external program?

• Plenty of PHP built-ins for file operations:

• mkdir()

• rmdir()

• copy()

• move()

• unlink()

• chmod()

• chown()

• chgrp()

• ...