开发者

Safe executing shell scripts; escaping vars before execution

Let's imagine that we have a simple php script that should get 开发者_JAVA技巧ssh_host, ssh_username, ssh_port from $_GET array and try to connect using this parameters to SSH.

$port      = escapeshellcmd($_GET['ssh_port']);
$host      = escapeshellcmd($_GET['ssh_host']);
$username  = escapeshellcmd($_GET['ssh_username']);

$answer = shell_exec("ssh -p " . $port . " " . $user . "@" . $host);

Is escapeshellcmd() enough or I need something more tricky? Or maybe I should use escapeshellarg() in this example?

Thank you.


I would say that this is what the escapeshellarg function has been created for -- so, to escape parameters, that's the one you should be using.

Basically :

  • To escape one parameter, use escapeshellarg
  • And to escape a command as a whole, use escapeshellcmd.


Quoting their respective documentations :

escapeshellcmd() :
This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions, or to the backtick operator.

escapeshellarg() :
This function should be used to escape individual arguments to shell functions coming from user input.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜