Dinesh Rawat February 2016

cleaning untrusted inputs that build os commands in PHP?

how to remove untrusted inputs that build os commands from url in php?

When I running automatic testing zaproxy, I am getting an alert of P1 that is your inputs are building os commands. So I want to know how to clean those commands.

Answers


maxhb February 2016

Use escapeshellarg() and escapeshellcmd() to escape data for usage as shell command or argument.

// escapes a single argument
// sample input: "/foo/bar/"
$argument = escapeshellarg($userInput1); 
exec("ls $argument");

// escapes all special characters like [];{} for usage in command line
// sample input: "ls -l; rm -rf /"
$command = escapeshellcmd($userInput2);
exec($command);

You should use both commands together to prevent users from executing arbitrary commans on your server.

Documentation:

http://php.net/manual/en/function.escapeshellarg.php http://php.net/manual/en/function.escapeshellcmd.php

Post Status

Asked in February 2016
Viewed 3,114 times
Voted 11
Answered 1 times

Search




Leave an answer