 |  |
12.7. Shell Commands
Be very wary of using the exec( ) , system( ), passthru( ), and popen( ) functions and the backtick (``) operator in your code. The shell is a problem because it recognizes special characters (e.g., semicolons to separate commands). For example, suppose your script contains this line:
system("ls $directory");If the user passes the value "/tmp;cat /etc/passwd" as the $directory parameter, your password file is displayed because system( ) executes the following command:
ls /tmp;cat /etc/passwd
In cases where you must pass user-supplied arguments to a shell command, use escapeshellarg( ) on the string to escape any sequences that have special meaning to shells:
$cleaned_up = escapeshellarg($directory);
system("ls $cleaned_up");Now, if the user passes "/tmp;cat /etc/passwd", the command that's actually run is:
ls '/tmp;cat /etc/passwd'
The easiest way to avoid the shell is to do the work of whatever program you're trying to call. Built-in functions are likely to be more secure than anything involving the shell.
|  | |
| 12.6. PHP Code |  | 12.8. Security Redux |
Copyright © 2003 O'Reilly & Associates. All rights reserved.