By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,940 Members | 1,522 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,940 IT Pros & Developers. It's quick & easy.

How to keep system() safe

P: n/a
I have a php page that needs to make a system() call to a perl app. I
need to send user-entered search terms as parameters to the perl app,
and then capture the output from perl, do some light processing on it,
and then embed that into the php page.

I know how to do it, but this is not a controlled environment like a
LAN or a personal PC, so I am very paranoid about the risks of making
the system() call with user-supplied input. I know I will need to
shellescapearg() the user-input. Are there any other checks you would
recommend? Perhaps checks against the length of the user-input?
ctype_alnum()? Anything else I'm not thinking of?

Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
You have to think on how the perl script uses the info users send, you
should use also make a preg_match so that the input text contain only
valid characters and numbers, [a...z], [A...Z], [0...9]! Also i
presumed you are concerned so that user won't send multiple commands
on that line to the bash, i think by doing the preg_match you will
eliminate this option!
Ovidiu

http://www.DevPlug.com --Connecting Developers
Posted from: http://www.devplug.com/ftopic23288.htm
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.