Also, make sure that if you run the script with user input that you validate the input...
Input like '<username>; cat /etc/passwd' would be no fun at all -----Original Message----- From: Simon Willison [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 7:14 AM To: bvr Cc: php-general Subject: Re: [PHP] CGI bvr wrote: >Please note that plain this: > >>or >><? >>if (action=="cgi") echo `./cgi-bin/cgiscripts/${scripts} 2&>1`; >>?> >> >is not a good idea, because it allows a visitor to run arbitrary >commands on your server. > >bvr. > If you still want to use that method have a look at these two functions which can be used to make user input "safe" for use on a command line: http://www.php.net/manual/en/function.escapeshellarg.php http://www.php.net/manual/en/function.escapeshellcmd.php Simon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php