[nycphp-talk] escapeshellcmd stupidity?

Daniel Convissor danielc at
Fri Jan 2 16:26:21 EST 2009

On Fri, Jan 02, 2009 at 02:37:43PM -0600, Allen Shaw wrote:
> In my case, I'm passing multiple arguments, but I'm now regexing them  
> apart into separate arguments, so escapeshellarg() does work.

I would submit each argument as a separate POST or GET parameter.  Each 
argument would have a key (the name of the shell script flag) and a value 
(uh, the value).

I'd put an array of allowed flags at the top of the script.  Upon 
submission, I'd loop over the allowed flags and look in GET/POST to see 
if the value is set and if it is pass it along into the argument list to 
the shell command.

> forward compat with the wrapped shell script, I'm hoping to avoid  
> checking for valid arguments and instead just escaping each argument and  
> letting the shell script do its own checking.

Oh, quit whining.  Suck it up and do the right thing.  :)

If you want to be really slick, have your shell script provide output of 
usage or a list of allowed arguments in a format that will be easy for 
your PHP script to parse into an array.  Then have the PHP script call 
the shell script using "/script --help" (or similar) and parse the output 
into an array, then use that array to validate GET/POST.


 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409

More information about the talk mailing list