Page 1 of 1

shell_exec() and Security

Posted: Fri Jan 17, 2003 5:15 am
by rjmatm
I am using the shell_exec for a few things. It's very useful, but it also seems like it could be a malicious intruders dream to be able to pass a variable to it.

I was just wondering what types of security issues I should keep in mind when using the shell_exe function.

Any suggestions, tips, techniques?

Thanks in advance for any response.

Posted: Fri Jan 17, 2003 5:28 am
by volka
avoid user input in shell commands. If unavoidable tripple-check and filter the input.
escapeshellarg() and esp. escapeshellcmd() are usefull for that purpose