How to keep system() safe

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a php page that needs to make a system() call to a perl app.  I
need to send user-entered search terms as parameters to the perl app,
and then capture the output from perl, do some light processing on it,
and then embed that into the php page.

I know how to do it, but this is not a controlled environment like a
LAN or a personal PC, so I am very paranoid about the risks of making
the system() call with user-supplied input.  I know I will need to
shellescapearg() the user-input.  Are there any other checks you would
recommend?  Perhaps checks against the length of the user-input?
ctype_alnum()?  Anything else I'm not thinking of?

re:How to keep system() safe

You have to think on how the perl script uses the info users send, you
should use also make a preg_match so that the input text contain only
valid characters and numbers, [a...z], [A...Z], [0...9]! Also i
presumed you are concerned so that user won't send multiple commands
on that line to the bash, i think by doing the preg_match you will
eliminate this option!

  Ovidiu --Connecting Developers
Posted from:

Site Timeline