TechniqueTo make sure that the users do not do anything when we open a pipe or use any program execution functions, we need to use the escapeshellcmd() function shown here: <?php exec (escapeshellcmd ($input), $output); ?> You also might want to test whether a user has actually filled out his name . For this, we use the empty() function: <?php if (!empty ($name)) { die ("You have to supply your name"); } ?> CommentsThe escapeshellcmd() functions escapes all shell meta- characters , rendering user input harmless to you and the security of your system. I recommend that you make it a habit to always run the escapeshellcmd() before putting user data into a program execution function ( system() , exec() , passthru () , or popen() ). The empty() function tests whether the name field has been filled out, not whether the name field is valid. So, I could say that my name was "foo" and it wouldn't really matter to PHP as long as $name was filled out. That's about as precise as you can get with validating names . (Okay, you can check for alphabetical characters, but anybody with some intelligence can get around that.) More precision is available when checking things such as a user's email, but that will be addressed in later recipes. |