Mohamed CHAARI wrote:
> Hi all,
>
> I have to execute an external command, with an argument
> (filename or directory name) given by user input (via a
> form), ie something like this:
>
> exec('ls $_POST[...]')
>
> what do you think about using escapeshellarg() function in
> this case ?
> can I rely on it to have a secure solution ? or is there a risk ? ...
>
>
> thank you.
In addition to using escapeshellarg(), I would first determine if the input
file or directory exists before executing the command. This adds another
layer of protection.
<?php
// Example code
if(file_exists($_POST['file_or_dir_name'])) {
$command = "ls ".escapeshellarg($_POST['file_or_dir_name']);
exec($command);
} else {
echo "File/Directory does not exist!!";
}
?>
-B
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
