On Feb 11, 2008 10:59 AM, Eric Butera <eric.butera@xxxxxxxxx> wrote:
> You should never use exec & friends when there is another way around
> the problem. It is a security concern.
Only as much as the design of the script allows.
Properly-filtered code (including using escapeshellarg() and
escapeshellcmd()) should work fine. Maybe a simple regexp to only
accept /(^[a-z0-9\s-_\.]*$)/i (untested) would be in order as well. I
do agree that it shouldn't be used as a replacement for anything that
can be done natively in PHP, but there are situations where using a
PHP-only system is impractical and imprudent.
--
</Dan>
Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
