One way to safeguard against such attempts is to
sanitize user input before it is passed to any of PHP??™s program execution functions.
Two standard functions are conveniently available for doing so: escapeshellarg()
and escapeshellcmd(). Each is introduced in this section.
Delimiting Input
The escapeshellarg() function delimits provided arguments with single quotes and
prefixes (escapes) quotes found within the input. Its prototype follows:
string escapeshellarg(string arguments)
The effect is that when arguments is passed to a shell command, it will be considered
a single argument. This is significant because it lessens the possibility that an
attacker could masquerade additional commands as shell command arguments.
Therefore, in the previously nightmarish scenario, the entire user input would be
enclosed in single quotes, like so:
'http://www.wjgilmore.com/ ; cd /usr/local/apache/htdoc/; rm ??“rf *'
The result would be that HTMLDOC would simply return an error instead of deleting
an entire directory tree because it can??™t resolve the URL possessing this syntax.
CHAPTER 10 ?– WORKING WITH T HE FILE A ND OPERATING SYSTEM 305
Escaping Potentially Dangerous Input
The escapeshellcmd() function operates under the same premise as escapeshellarg(),
sanitizing potentially dangerous input by escaping shell metacharacters. Its prototype
follows:
string escapeshellcmd(string command)
These characters include the following: # & ; , | * ? , ~ < > ^ ( ) [ ] { } $ \\.
Pages:
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379