toastar Posted July 12, 2011 Share Posted July 12, 2011 Primer: I'm working on a PHP Wrapper for a C++/Fortran Program. It's heavily based on like 20 programs and piping data to and from one another. So this is usually done via .sh scripts. But I'd like to simplify the process and add some SQL for data management and add a Web based frontend. Question: Since I can't see a way around using shell_exec() how can I minimize the security implications? Should I be sanitizing the inputs as I read in the POSTs/GETs, or should i do it right before I call the exec();? What besides checking outside variables, Should I try to make sure semicolons are hardcoded? Any other tips? Link to comment https://forums.phpfreaks.com/topic/241834-shell_exec-security/ Share on other sites More sharing options...
xyph Posted July 12, 2011 Share Posted July 12, 2011 It doesn't matter when you sanitize them as long as you do. Don't allow the user to enter anything other than letters or numbers. Without spaces, dashes, slashes, etc it's very hard to inject. Ideally, you want to sanitize each call as needed, and not have a general sanitize function for everything. Link to comment https://forums.phpfreaks.com/topic/241834-shell_exec-security/#findComment-1241929 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.