Re: Escaping shell commands in PHP

On Sun, Dec 11, 2005 at 05:30:31AM -0500, Behdad Esfahbod wrote:
> Skimming through docs on sysadmin.g.o, in PHP Guidelines under
> Quoting, I think the third bullet "Don't try to quote shell
> command lines. ... here is no PHP builtin that does the right
> thing." is not adequate.  The following two PHP builtin functions
> do exactly this:

You'd be trusting PHP to correctly knowing exactly what special
characters to quote for whatever shell you might be using. Seems that
these functions already had a vulnerability (only for Windows, but
still..). I'd rather use functions without quoting mess. combined with
pcntl_fork() seems far safer. No shell escaping.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]