All geek questions in one place

Shielding crew

I tried to do my research, there are simply many ways to invoke shell commands and even more ways to separate malicious characters that I come to stackoverflow for a better expert recommendation.

I was hoping to find something like what I saw in other languages, so sending arguments to the command is actually passed through a function, for example:

do_command ("ls", "-l", $ Directory);

and he will take care of what is bad for the $ Directory variable for you. I did not find this with PHP.

This is the code I'm working with:

<?php session_start(); $AdminEmail = " random_email@gmail.com "; $CatalogEmails = array(""); $QuoteEmails = array(""); $PartsEmails = array(""); $Subject = $_SESSION['Email_Subject']; $Body = $_SESSION['Email_Body']; $Headers = $_SESSION['Email_Headers']; $Type = $_SESSION['Type']; msmtp($AdminEmail, $Subject, $Body, $Headers, "meyers"); if ($Type == "Catalog") { foreach ($CatalogEmails as $AdditionalEmail) { msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers"); } } else if ($Type == "Quote") { foreach ($QuoteEmails as $AdditionalEmail) { msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers"); } } else if ($Type == "Parts") { foreach ($PartsEmails as $AdditionalEmail) { msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers"); } } function msmtp($To, $Subject, $Body, $Headers, $Account) { $Email = "To: $To\nSubject: $Subject\n$Headers\n\n$Body\n"; exec("echo \"$Email\" | msmtp --account=$Account $To"); } session_destroy(); ?>

I know that there is a built-in PHP mail function that will take care of this pretty much, but I am running several SMTP servers, and msmtp is the program that I use that sends emails based on the "account" email address shipped. In this case, it will be a "meyers" account.

All session variables contain HTML ( <br> <b> , etc.) with some $_POST vars. I am using PHP 5.3, so no magic quotes.

I know that using echo is a terrible way, so I come to stackoverflow. My goal here is that the letter will go through, despite any crazy character they throw at me. I know that the / bash shell is picky. I guess this is much more than just dropping double quotes.

I tried using escapeshellcmd escapeshellarg and htmlentities , they all ran too much or messed up the HTML in the letter.

+4
source share
2 answers

Enter the contents of the email into the file, and then redirect the contents of the file as input to the msmtp command.

 file_put_contents($tempfile,$Email); exec("msmtp --account=$Account $To < $tempfile");
+2
source

Is PHP used with the Bourne (sh) or Bash shell? In any case, it would be better to use printf :

 exec("printf '%s' '$Email' | msmtp --account=$Account $To");

If you use Bash, you can try the quote function of your printf :

 exec("printf '%q' '$Email' | msmtp --account=$Account $To");
+1
source

Source: https://habr.com/ru/post/1340713/

More articles:


All Articles