Section B.2. exec( )


B.2. exec( )

As described in Chapter 6, executing shell commands is a very dangerous operation, and the use of tainted data in the construction of a shell command creates a command injection vulnerability.

Try to avoid using shell command functions, but when you require them, be sure to use only filtered, escaped data in the construction of the command to be executed:

     <?php     $clean = array();     $shell = array();     /* Filter Input ($command, $argument) */     $shell['command'] = escapeshellcmd($clean['command']);     $shell['argument'] = escapeshellarg($clean['argument']);     $last = exec("{$shell['command']} {$shell['argument']}", $output, $return);     ?> 




Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net