# Code Injection - CWE-94
Languages frequently have means for including external code directly.
* Import clauses: import code from a library, which in reality is a file somewhere in a list of folders.
* Eval/include/input clauses: include code directly from a text string.
$MessageFile = "cwe-94/messages.out";
if ($_GET["action"] == "NewMessage") {
$name = $_GET["name"];
$message = $_GET["message"];
$handle = fopen($MessageFile, "a+");
fwrite($handle, "<b>$name</b> says '$message'<hr>\n");
fclose($handle); echo "Message Saved!<p>\n";
} else if ($_GET["action"] == "ViewMessages") {
include($MessageFile);
}
```python
from flask import Flask, render_template_string, request
app = Flask(__name__, static_url_path='/static')
@app.route("/")
def home():
user = request.args.get('user') or None
template = 'SSTI demo app'
if user == None:
template = template + '''
Login Form
'''.format(user)
else:
template = template + '''
Hi {}
Welcome to the vulnerable app!'''.format(user)
return render_template_string(template)
if __name__ == '__main__':
app.run()
```