Embedding PHP files?

Question

Embedding PHP files?

I have a script that calls a bash script that does some processing, but the script calls a bash script using user input.

I am wondering if there is a way to make sure that the person (he is downloading the file) does not add, like ;cd /;rm -rf * , to the end of the file. Or something else like that. Will normal MYSQL injection methods work? Is there a better alternative?

+4

php

Steven Jan 23 '12 at 15:21

source share

3 answers

Have you checked escapeshellcmd () and escapeshellarg (), or am I missing a point?

+1

Andy Jan 23 '12 at 15:27

source share

Protecting this process is a two-way procedure:

providing input meets some criteria (especially for maximum types)
providing input cannot flow and change the process itself

Let's say I pass the number to the program ...

 $num = $_GET['num']; // get the input $num = (int)$_GET['num']; // ensure it is an integer $num = max($num, 0); // ensure it is at least 0 $num = min($num, 800); // ensure it is at most 800 $num = escapeshellarg($num); // this is overkill at this point, but you never know exec('command '.$num);

As stated above, you can also have your own language, but ...

he may be vulnerable
this may be redundant for a simple task
it's just an extended version of the filter system

Finally, there is another alternative. There are functions that take command and parameters as separate arguments, such as popen() (you can enter command arguments through pipes). But it depends on the implementation.

0

Christian Jan 23 '12 at 15:32

source share

phihag · Accepted Answer · 2012-01-23T15:26:23+0000

The ability to enter shell commands will be ... shell injection, and neither file nor SQL injection. To protect it, use escapeshellarg :

 exec('bash bash-script ' . escapeshellarg($userInput));

Embedding PHP files?

More articles: