Re: Escaping shell commands in PHP
- From: Olav Vitters <olav bkor dhs org>
- To: gnome-infrastructure gnome org
- Subject: Re: Escaping shell commands in PHP
- Date: Mon, 12 Dec 2005 00:42:13 +0100
On Sun, Dec 11, 2005 at 05:30:31AM -0500, Behdad Esfahbod wrote:
> Skimming through docs on sysadmin.g.o, in PHP Guidelines under
> Quoting, I think the third bullet "Don't try to quote shell
> command lines. ... here is no PHP builtin that does the right
> thing." is not adequate. The following two PHP builtin functions
> do exactly this:
>
> http://php.net/escapeshellarg
> http://php.net/escapeshellcmd
You'd be trusting PHP to correctly knowing exactly what special
characters to quote for whatever shell you might be using. Seems that
these functions already had a vulnerability (only for Windows, but
still..). I'd rather use functions without quoting mess.
http://nl3.php.net/manual/en/function.pcntl-exec.php combined with
pcntl_fork() seems far safer. No shell escaping.
--
Regards,
Olav
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]