[nycphp-talk] escapeshellcmd stupidity?
danielc at analysisandsolutions.com
Fri Jan 2 16:26:21 EST 2009
On Fri, Jan 02, 2009 at 02:37:43PM -0600, Allen Shaw wrote:
> In my case, I'm passing multiple arguments, but I'm now regexing them
> apart into separate arguments, so escapeshellarg() does work.
I would submit each argument as a separate POST or GET parameter. Each
argument would have a key (the name of the shell script flag) and a value
(uh, the value).
I'd put an array of allowed flags at the top of the script. Upon
submission, I'd loop over the allowed flags and look in GET/POST to see
if the value is set and if it is pass it along into the argument list to
the shell command.
> forward compat with the wrapped shell script, I'm hoping to avoid
> checking for valid arguments and instead just escaping each argument and
> letting the shell script do its own checking.
Oh, quit whining. Suck it up and do the right thing. :)
If you want to be really slick, have your shell script provide output of
usage or a list of allowed arguments in a format that will be easy for
your PHP script to parse into an array. Then have the PHP script call
the shell script using "/script --help" (or similar) and parse the output
into an array, then use that array to validate GET/POST.
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk