From: czke at czke dot com Operating system: Linux PHP version: Irrelevant PHP Bug Type: Strings related Bug description: system command execution with echo()
Description: ------------ It is posibble to execute system commands with echo using the "`". My opinion is that with a string function this should not be posible. Reproduce code: --------------- <?php echo "<pre>"; echo `ls -l /`; ?> -- Edit bug report at http://bugs.php.net/?id=30308&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30308&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30308&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30308&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=30308&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=30308&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=30308&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=30308&r=needscript Try newer version: http://bugs.php.net/fix.php?id=30308&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=30308&r=support Expected behavior: http://bugs.php.net/fix.php?id=30308&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=30308&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=30308&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=30308&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30308&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=30308&r=dst IIS Stability: http://bugs.php.net/fix.php?id=30308&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=30308&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=30308&r=float MySQL Configuration Error: http://bugs.php.net/fix.php?id=30308&r=mysqlcfg