bvr wrote: >Still this wouldn't prevent a visitor from passing something like : > >../../../../bin/cat /etc/passwd > >bvr. > Erk good point - I should have mentioned that it's a very good idea to run basename() on user input as well as this will knock off any directory paths they may have attempted to add. Alternatively run a regular expression so ensure their input consists only of harmless characters (for example[a-zA-Z0-9] )
http://www.php.net/basename >>>if (action=="cgi") echo `./cgi-bin/cgiscripts/${scripts} 2&>1`; >>> >>If you still want to use that method have a look at these two functions >>which can be used to make user input "safe" for use on a command line: >> >>http://www.php.net/manual/en/function.escapeshellarg.php >>http://www.php.net/manual/en/function.escapeshellcmd.php >> >>Simon >> > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php