问题
i need to filter those var to call system in php and execute a shell script. What filter_var SANITIZE macro i need to use to remove ";" or problems during shell execution? Like unwanted chars..etc..etc
This is my code testing example, now i've hardcoded the var for testing.. Thanks!
$ragionesociale = $_GET["ragionesociale"]; /* Alphanumeric with spaces next trimmed*/
$api = $_GET["ragionesociale"]; /* Uri with space encoded*/
$sito = $_GET["sito"]; /* Uri with space encoded*/
$meta = $_GET["meta"]; /*Address, CF, a lot of things...*/
$tmp_dir = "tmp_app";
if(!filter_has_var(INPUT_GET, "ragionesociale") ||
!filter_has_var(INPUT_GET, "sito") ||
!filter_has_var(INPUT_GET, "meta") ||
!filter_has_var(INPUT_GET, "api")
){
echo("Input type does not exist");
exit();
}
system("../configmyapp2.sh ".$ragionesociale." ".$api." ".$sito." ".$meta." ".$tmp_dir);
回答1:
http://php.net/manual/en/function.escapeshellarg.php
Pass your command line parameters through this and you're safe ;) Also I'd recommend you use exec() instead of system() or even shell_exec() because you'll be able to get the return value from your script as well as any text output which you may want to use.
回答2:
If this can be triggered by other users then I would not go by this method.
Its very dangerous, especially with your multiple parameters and sanitization rules.
回答3:
You might be interested in escapeshellarg().
escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input. The shell functions include exec(), system() and the backtick operator.
回答4:
There is no built-in sanitization filter that can do this; however, you can fake it with FILTER_CALLBACK and escapeshellarg like this:
$var = filter_var($input, FILTER_CALLBACK, array('options' => 'escapeshellarg'));
来源:https://stackoverflow.com/questions/9838924/filter-var-for-calling-a-shellscript-with-system-on-php