By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,949 Members | 1,827 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,949 IT Pros & Developers. It's quick & easy.

exec, single quote & security...

P: n/a
Hello,

(i'm particulary interested in security issue - php is running on
apache + linux)

i need to pass the result (here $exp) of a form submission to a third
part application using :

exec("echo $exp | third_part", $arr, $ret);

this $exp may contain simple quote such as in "they're" and if i'm
very unlucky harmful code for my system.

by now i use :

$exp = "'" . implode("' \' '", explode("'", stripslashes($exp))) .
"'";

to be sure to maintain single quotes and i also expect to avoid some
common vulnerabilities (by enclosing them inside '')

how can i be sure that $exp isn't harmful ? is is enough ?

thanks,
Jul 16 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Hi,

Shagshag wrote:

(i'm particulary interested in security issue - php is running on
apache + linux)

i need to pass the result (here $exp) of a form submission to a third
part application using :

exec("echo $exp | third_part", $arr, $ret);

this $exp may contain simple quote such as in "they're" and if i'm
very unlucky harmful code for my system.

by now i use :

$exp = "'" . implode("' \' '", explode("'", stripslashes($exp))) .
"'";

to be sure to maintain single quotes and i also expect to avoid some
common vulnerabilities (by enclosing them inside '')

how can i be sure that $exp isn't harmful ? is is enough ?


There's a special built in function for this. See:

http://uk2.php.net/manual/en/functio...peshellarg.php

Regards,

Luke

Jul 16 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.