On Sun, Dec 11, 2005 at 05:30:31AM -0500, Behdad Esfahbod wrote: > Skimming through docs on sysadmin.g.o, in PHP Guidelines under > Quoting, I think the third bullet "Don't try to quote shell > command lines. ... here is no PHP builtin that does the right > thing." is not adequate. The following two PHP builtin functions > do exactly this: > > http://php.net/escapeshellarg > http://php.net/escapeshellcmd
You'd be trusting PHP to correctly knowing exactly what special characters to quote for whatever shell you might be using. Seems that these functions already had a vulnerability (only for Windows, but still..). I'd rather use functions without quoting mess. http://nl3.php.net/manual/en/function.pcntl-exec.php combined with pcntl_fork() seems far safer. No shell escaping. -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
