Shell Commands
Be very wary of using the exec()
, system()
, passthru()
, and popen()
functions and the backtick (`
) operator in your code. The shell is a problem
because it recognizes special characters (e.g., semicolons to separate
commands). For example, suppose your script contains this line:
system
(
"ls
{
$directory
}
"
);
If the user passes the value "/tmp;cat
/etc/passwd"
as the $directory
parameter, your password file is
displayed because system()
executes the
following command:
ls /tmp;cat /etc/passwd
In cases where you must pass user-supplied arguments to a shell
command, use escapeshellarg()
on the
string to escape any sequences that have special meaning to shells:
$cleanedArg
=
escapeshellarg
(
$directory
);
system
(
"ls
{
$cleanedArg
}
"
);
Now, if the user passes "/tmp;cat
/etc/passwd"
, the command that’s actually run is:
ls '/tmp;cat /etc/passwd'
The easiest way to avoid the shell is to do the work of whatever program you’re trying to call in PHP code, rather than calling out to the shell. Built-in functions are likely to be more secure than anything involving the shell.
Get Programming PHP, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.