GFL
Reputation: 1424
Securing user input with escapeshellarg()
I need to use some user inputs with some shell_exec and exec commands. I know this can be a large security risk so I want to make sure I'm doing it right.
My original commands look like:
shell_exec('php getText.php "' . $_GET['title'] . '"');
exec('php importImages.php --comment="' . $_GET['comment'] . '"');
Is wrapping the user inputs with escapeshellarg the way I can secure this vulnerability? Will there be any issues with using it? Or anything else I should be concerned about?
shell_exec('php getText.php "' . escapeshellarg($_GET['title']) . '"');
exec('php importImages.php --comment="' . escapeshellarg($_GET['comment']) . '"');
Upvotes: 0
Views: 349
Answers (1)
miken32
Reputation: 42695
escapeshellarg() will quote and escape your values for you.
var_dump(escapeshellarg('foo'));
// output: string(5) "'foo'"
So your code should look like this:
shell_exec('php getText.php ' . escapeshellarg($_GET['title']));
exec('php importImages.php --comment=' . escapeshellarg($_GET['comment']));
Upvotes: 1
Related Questions
- PHP: escapeshellarg() to which I can pass the desired escaping convention
- Combination of escapeshellcmd and escapeshellarg
- PHP shellexec escape
- Best way to sanitize exec command with user inserted variables
- Is this usage of exec() safe when using escapeshellarg()?
- PHP function to escape string for writing into executable PHP file
- php's escapeshellarg not working with exec (string not encapsulated in quotes)
- Escaping Shell echos
- Safe executing shell scripts; escaping vars before execution
- Securing a string before exec()ing it