Page 1 of 1

escapeshellarg?

Posted: Sun Dec 03, 2006 5:03 am
by Mr Tech
Is the escapeshellarg() worth using? Or does mysql_real_escape_string to do the trick? Or would putting them both together be the go?

Posted: Sun Dec 03, 2006 5:42 am
by timvw
escapeshellarg -- Escape a string to be used as a shell argument
mysql_real_escape_string -- Escapes special characters in a string for use in a SQL statement

You should use the appropriate function for the context you're going to use the data in...

Posted: Sun Dec 03, 2006 4:56 pm
by Mr Tech
So escapeshellarg would be used for information submitted in forms?

Posted: Sun Dec 03, 2006 5:35 pm
by feyd
No.. for shell arguments...

Like stuff you send to system().

Posted: Mon Dec 04, 2006 11:58 am
by aaronhall
Mr Tech wrote:So escapeshellarg would be used for information submitted in forms?
User mysql_real_escape_string to sanitize "tainted" data before putting it into a database query. When outputting tainted data to the browser, use htmlspecialchars($foo, ENT_QUOTES).

Posted: Tue Dec 12, 2006 12:30 pm
by impulse()
I recently realised that using the following line

Code: Select all

$ip = $_POST["ip"];
system("ping $ip");
Allowed anyone to execute commands in my shell by entering the following in the text box "; <whatever they want here>". This was stopped by using:

Code: Select all

$ip = escapeshellarg($_POST["ip]);
Regards,