 |
 |
 |
 |
|
|
Date: 07/05/01
- Next message: derick <email protected>: "Re: [PHP-DEV] Bug #11890 Updated: linux exploitable"
- Previous message: Alexander Bokovoy: "Re: [PHP-DEV] Bug #11890 Updated: linux exploitable"
- In reply to: derick <email protected>: "Re: [PHP-DEV] Bug #11890 Updated: linux exploitable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Derick wrote:
> As far as I can see does shell_arg only escape the ' and shell_cmd the
> following characters: #&;`'\"|*?~<>^()[]{}$\\\x0A\xFF so I think
> _shell_cmd would be the best choice.
This is probably a nit-picking point that I should not have
wasted your time with. :) Here was my reasoning for recommending
_shell_arg over _shell_cmd:
_shell_cmd escapes a range of characters to render them safe
to use as part of a shell argument. It uses the strategy of
escaping meta-characters and control operators with a
leading backslash so that they are interpreted as literal
values.
_shell_arg single quotes a string, and converts any existing
single quotes (') in the value are to '\''. This sequence
temporarily ends the single-quoted string, inserts a literal
single quote, and then resumes the string.
Shells don't interpret *anything* inside of a single quoted
string, making this a very safe strategy (IMUO)
However, given that no one cognizant of these matters has
made the same recommendation, you are probably quite safe
in your original choice! :)
--zak
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: derick <email protected>: "Re: [PHP-DEV] Bug #11890 Updated: linux exploitable"
- Previous message: Alexander Bokovoy: "Re: [PHP-DEV] Bug #11890 Updated: linux exploitable"
- In reply to: derick <email protected>: "Re: [PHP-DEV] Bug #11890 Updated: linux exploitable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]