0

I have this code :

$cmd = escapeshellcmd($_GET['command']);
$cmd2 = escapeshellcmd($_GET['command2']);
exec("program" . $cmd . $cmd2);

And I want know if is secure to allow any person to use it with an html form ?

esffsefesffsesef
  • 45
  • 3

2 Answers2

3

No, don't let using escapeshellcmd or escapeshellarg give you a false sense of security. Passing values directly to the commandline even escaped without any form of validation is asking for trouble.

If you are adamant I'd advise reading the following discussion:

What's the difference between escapeshellarg and escapeshellcmd?

Community
  • 1
  • 1
Daniël W. Crompton
  • 3,448
  • 25
  • 26
0

You need to whitelist allowed commands.

$cmd = escapeshellcmd($_GET['command']);
$cmd2 = escapeshellcmd($_GET['command2']);
$allowed_cmds = array('ls', 'foo', ...);

if(in_array($cmd, $allowed_cmds)) {
    if(in_array($cmd2, $allowed_cmds)) {
        exec("program" . $cmd . $cmd2);
    }
}

Personally though, you are doing something wrong. I've written socket systems, websites, database abstractions, language processing libraries, email servers, regex parsers, and a whole slue of other things.

I've never needed the nasty, slow exec.

Xeoncross
  • 55,620
  • 80
  • 262
  • 364
  • 1
    You probably meant to use `escapeshellarg` and you need to add spaces to the exec. It's clear you haven't used it very often. :) – Daniël W. Crompton Apr 21 '14 at 21:56
  • 1
    @DaniëlW.Crompton, that's what I get for cheating. I just copied the OP's code and throw in the conditional. I learned my lesson. – Xeoncross Apr 22 '14 at 03:10