________________________________________ I am developing a web page where i have to display the files list based on some search criteria and of certain duration. My web server is on linux operating system. The command i am using for this peropse is: find /home/test -mtime -$duration | sort | xargs grep -l "$search_criteria" Is any malicious user can use the search criteria to perform some bad commands in the operating system. YES! Consider this: $search_criteria = "foo | rm -rf /"; Or, rather, this: http://example.com/?duration=5&search_criteria=foo+|+rm+-rf+/ If it is then please suggest how to prevent it. Please help me out. #1: Don't do that. :-) #2: $search_criteria = preg_replace('|[^a-z0-9_-]|', '', $search_criteria; #3: $search_criteria = escapeshellarg($search_criteria); _______________________________________________________ The information in this email or in any file attached hereto is intended only for the personal and confiden- tial use of the individual or entity to which it is addressed and may contain information that is propri- etary and confidential. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communica- tion is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product. Email trans- mission cannot be guaranteed to be secure or error- free. P6070214 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
