Home Ask Login Register

Developers Planet

Your answer is one click away!

Dinesh Rawat February 2016

cleaning untrusted inputs that build os commands in PHP?

how to remove untrusted inputs that build os commands from url in php?

When I running automatic testing zaproxy, I am getting an alert of P1 that is your inputs are building os commands. So I want to know how to clean those commands.

Answers


maxhb February 2016

Use escapeshellarg() and escapeshellcmd() to escape data for usage as shell command or argument.

// escapes a single argument
// sample input: "/foo/bar/"
$argument = escapeshellarg($userInput1); 
exec("ls $argument");

// escapes all special characters like [];{} for usage in command line
// sample input: "ls -l; rm -rf /"
$command = escapeshellcmd($userInput2);
exec($command);

You should use both commands together to prevent users from executing arbitrary commans on your server.

Documentation:

http://php.net/manual/en/function.escapeshellarg.php http://php.net/manual/en/function.escapeshellcmd.php

Post Status

Asked in February 2016
Viewed 3,114 times
Voted 11
Answered 1 times

Search




Leave an answer


Quote of the day: live life