escapeshellarg?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

escapeshellarg?

Post by Mr Tech »

Is the escapeshellarg() worth using? Or does mysql_real_escape_string to do the trick? Or would putting them both together be the go?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

escapeshellarg -- Escape a string to be used as a shell argument
mysql_real_escape_string -- Escapes special characters in a string for use in a SQL statement

You should use the appropriate function for the context you're going to use the data in...
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Post by Mr Tech »

So escapeshellarg would be used for information submitted in forms?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

No.. for shell arguments...

Like stuff you send to system().
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

Mr Tech wrote:So escapeshellarg would be used for information submitted in forms?
User mysql_real_escape_string to sanitize "tainted" data before putting it into a database query. When outputting tainted data to the browser, use htmlspecialchars($foo, ENT_QUOTES).
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Post by impulse() »

I recently realised that using the following line

Code: Select all

$ip = $_POST["ip"];
system("ping $ip");
Allowed anyone to execute commands in my shell by entering the following in the text box "; <whatever they want here>". This was stopped by using:

Code: Select all

$ip = escapeshellarg($_POST["ip]);
Regards,
Post Reply