Reputation: 16596
Safe executing shell scripts; escaping vars before execution
Let's imagine that we have a simple php script that should get ssh_host, ssh_username, ssh_port from $_GET array and try to connect using this parameters to SSH.
$port = escapeshellcmd($_GET['ssh_port']);
$host = escapeshellcmd($_GET['ssh_host']);
$username = escapeshellcmd($_GET['ssh_username']);
$answer = shell_exec("ssh -p " . $port . " " . $user . "@" . $host);
Is escapeshellcmd() enough or I need something more tricky?
Or maybe I should use escapeshellarg() in this example?
Thank you.
Upvotes: 2
Views: 1198
Answers (1)
Reputation: 400972
I would say that this is what the escapeshellarg function has been created for -- so, to escape parameters, that's the one you should be using.
Basically :
- To escape one parameter, use
escapeshellarg - And to escape a command as a whole, use
escapeshellcmd.
Quoting their respective documentations :
escapeshellcmd() :
This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions, or to the backtick operator.
escapeshellarg() :
This function should be used to escape individual arguments to shell functions coming from user input.
Upvotes: 2
Related Questions
- Securing user input with escapeshellarg()
- PHP shellexec escape
- Safe use exec with php
- Best way to sanitize exec command with user inserted variables
- Is this usage of exec() safe when using escapeshellarg()?
- PHP function to escape string for writing into executable PHP file
- Safe shell call with php
- How to escape strings in for use in bash/sh via PHP's shell_exec?
- Escaping Shell echos
- Securing a string before exec()ing it