At 13:27 19.02.2003, [EMAIL PROTECTED] said:
--------------------[snip]--------------------
>happens when I echo the text out. So if I don't allow backticks in my
>input field and I want to redisplay that input I execute the code right?
>Meaning I can'T redisplay the text as the user inputed it. When I use
>escapeshellcmd to prevent any execution I redisplay the input differently
>than the users input. This will confuse most users and is not as wished
>from a usability standpoint.
>So have I missunderstood the way backticks work or is this an unresolvable
>issue?
--------------------[snip]--------------------
No, you don't execute backticks if you display them. Look at these examples:
// directly execute the command using backticks
$files = `ls -al .`;
// create a command and execute it
$cmd = '`ls -al . `';
eval("\$files = $cmd;");
// outputting the command in a form input field doesn't execute
echo '<input type="text" name="whatever" value="' . $cmd . '">';
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
