Re: securing a script that exec()s

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sat, Mar 31, 2012 at 1:37 AM, rene7705 <rene7705@xxxxxxxxx> wrote:
> escapeshellcmd() seems simplest.

It might be if all you care about are shell meta characters, and
admittedly it will save you from someone entering "& rm -rf / &" in
your input field. But dealing with generic user input, even escaped,
can still be problematic. Say you want to let the user set the size of
the output file, and the user enters a bunch of letters instead of a
geometry. Do you really want to have to deal with all the possible
ramifications of such GIGO stuff? Better to vet the data, untaint it,
and deal with it that way. When you've gone to all that, you're almost
all the way to where you need to be to use the library functions.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [Find Someone]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux