bvr wrote:

>Still this wouldn't prevent a visitor from passing something like :
>
>../../../../bin/cat /etc/passwd
>
>bvr.
>
Erk good point - I should have mentioned that it's a very good idea to 
run basename() on user input as well as this will knock off any 
directory paths they may have attempted to add. Alternatively run a 
regular expression so ensure their input consists only of harmless 
characters (for example[a-zA-Z0-9] )

http://www.php.net/basename

>>>if (action=="cgi") echo `./cgi-bin/cgiscripts/${scripts} 2&>1`;
>>>
>>If you still want to use that method have a look at these two functions 
>>which can be used to make user input "safe" for use on a command line:
>>
>>http://www.php.net/manual/en/function.escapeshellarg.php
>>http://www.php.net/manual/en/function.escapeshellcmd.php
>>
>>Simon
>>
>
>
>
>




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to