12.7. Shell Commands
Be very wary of using the exec( ) , system( ), passthru( ), and popen( ) functions and the backtick (``) operator in your code. The shell is a problem because it recognizes special characters (e.g., semicolons to separate commands). For example, suppose your script contains this line:
If the user passes the value "/tmp;cat /etc/passwd" as the $directory parameter, your password file is displayed because system( ) executes the following command:
ls /tmp;cat /etc/passwd
In cases where you must pass user-supplied arguments to a shell command, use escapeshellarg( ) on the string to escape any sequences that have special meaning to shells:
$cleaned_up = escapeshellarg($directory); system("ls $cleaned_up");
Now, if the user passes "/tmp;cat /etc/passwd", the command that's actually run is:
ls '/tmp;cat /etc/passwd'
The easiest way to avoid the shell is to do the work of whatever program you're trying to call. Built-in functions are likely to be more secure than anything involving the shell.
Copyright © 2003 O'Reilly & Associates. All rights reserved.