[nycphp-talk] escapeshellcmd stupidity?

Edward Potter edwardpotter at
Fri Jan 2 12:23:46 EST 2009

Plan B.
THINGS an AMAZING GTD application that sync's up with your iPhone.
They seem to have FINALLY got it right.  :-)  ed

On Fri, Jan 2, 2009 at 12:05 PM, Allen Shaw <ashaw at> wrote:
> Hi All,
> I have a shell script that manages my todo list, and I'd like to access it
> through the Web as well, for convenience when I'm traveling.  ssh is not
> ideal here, since Web gives me access from any machine without downloading
> PuTTY, for example.  Basic auth seems enough to protect my todo list from
> abuse, but the stakes get higher when we consider that I'm accepting shell
> script arguments over the web -- poor security could easily lead to
> arbitrary code being passed to the shell.
> Can anyone here comment on the wisdom of relying on escapeshellcmd() in a
> situation like this?  For example:
> <?
>   $script_path = '/path/to/shell/script';
>   shell_exec(escapeshellcmd("$script_path {$_POST['user_input']}"));
> ?>
> It looks right to me, and I've confirmed that it "works," but I can't test
> to confirm it's "safe."  I'd appreciate it if someone more experienced could
> tell me if this is just a Bad Idea.
> Thanks,
> Allen
> --
> Allen Shaw
> slidePresenter (
> _______________________________________________
> New York PHP User Group Community Talk Mailing List

IM/iChat: ejpusa
Follow me:

More information about the talk mailing list