Ask a Question related to PHP Development, Design and Development.
-
Shagshag #1
exec, single quote & security...
Hello,
(i'm particulary interested in security issue - php is running on
apache + linux)
i need to pass the result (here $exp) of a form submission to a third
part application using :
exec("echo $exp | third_part", $arr, $ret);
this $exp may contain simple quote such as in "they're" and if i'm
very unlucky harmful code for my system.
by now i use :
$exp = "'" . implode("' \' '", explode("'", stripslashes($exp))) .
"'";
to be sure to maintain single quotes and i also expect to avoid some
common vulnerabilities (by enclosing them inside '')
how can i be sure that $exp isn't harmful ? is is enough ?
thanks,
Shagshag Guest
-
CF7 query update with single quote
Hi i'm migrating an application from CF5 to CF7 (hotfix3) and have the following problem: the query <cfquery...> UPDATE t1 SET f1 = '#var1#'... -
Single Quote Problem in Excel to Export
Hi, We have to export our data in sql server table to any excel sheet. We have a template to export, using oledb we are inserting rows to this... -
double single quote problem in cfquery
Hi, i've this problem with ColdFusion MX 6.1 Updater and MX 7 If i try to insert a text containing a single quote (for example TEST') all works... -
Passing Parameters with Single Quote
I am trying to pass this information to another cfm file. This works fine, except when the name has a single quote (ie. Name = Katie's car). What... -
Adding single quote to javascript/php block
I have a block of code that calls a function to copy some text to the clipboard. The text includes some text and an email from a recordset. I am... -
Luke Ross #2 Re: exec, single quote & security...
Hi,
Shagshag wrote:There's a special built in function for this. See:>
> (i'm particulary interested in security issue - php is running on
> apache + linux)
>
> i need to pass the result (here $exp) of a form submission to a third
> part application using :
>
> exec("echo $exp | third_part", $arr, $ret);
>
> this $exp may contain simple quote such as in "they're" and if i'm
> very unlucky harmful code for my system.
>
> by now i use :
>
> $exp = "'" . implode("' \' '", explode("'", stripslashes($exp))) .
> "'";
>
> to be sure to maintain single quotes and i also expect to avoid some
> common vulnerabilities (by enclosing them inside '')
>
> how can i be sure that $exp isn't harmful ? is is enough ?
[url]http://uk2.php.net/manual/en/function.escapeshellarg.php[/url]
Regards,
Luke
Luke Ross Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
