Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example:

• allowed characters (standard regular expressions classes or custom)
• data format
• amount of expected data

Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of.

Whitelisting is the best practice to validate input against blacklisting whenever it is practicable.

• Injection Prevention Cheat Sheet
• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H