O'Reilly logo

Sams Teach Yourself PHP in 24 Hours, Third Edition by Matt Zandstra

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Plugging Security Holes with escapeshellcmd()

Before looking at escapeshellcmd(), let’s examine the danger it guards against. We want to allow users to type in the names of manual pages and view output online. Now that we can output one manual page, it is a trivial matter to output any available page. Do not install the code in Listing 21.5; we are deliberately leaving a major security gap unplugged.

Listing 21.5. Calling the man Command
 1: <!DOCTYPE html PUBLIC
 2:   "-//W3C//DTD XHTML 1.0 Strict//EN"
 3:   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 4: <html>
 5: <head>
 6: <title>Listing 21.5 Calling the 'man' Command. 7: This Script is NOT Secure</title> 8: </head> 9: <body> 10: <div> 11: <form action="<?php print $PHP_SELF ?>" method="post"> ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required