Re: Escaping shell commands in PHP

From: Olav Vitters <olav bkor dhs org>
To: gnome-infrastructure gnome org
Subject: Re: Escaping shell commands in PHP
Date: Mon, 12 Dec 2005 00:42:13 +0100

On Sun, Dec 11, 2005 at 05:30:31AM -0500, Behdad Esfahbod wrote:
> Skimming through docs on sysadmin.g.o, in PHP Guidelines under
> Quoting, I think the third bullet "Don't try to quote shell
> command lines. ... here is no PHP builtin that does the right
> thing." is not adequate.  The following two PHP builtin functions
> do exactly this:
> 
>   http://php.net/escapeshellarg
>   http://php.net/escapeshellcmd

You'd be trusting PHP to correctly knowing exactly what special
characters to quote for whatever shell you might be using. Seems that
these functions already had a vulnerability (only for Windows, but
still..). I'd rather use functions without quoting mess.

http://nl3.php.net/manual/en/function.pcntl-exec.php combined with
pcntl_fork() seems far safer. No shell escaping.

-- 
Regards,
Olav

References:
- Escaping shell commands in PHP
  - From: Behdad Esfahbod

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]