I have a php page that needs to make a system() call to a perl app. I
need to send user-entered search terms as parameters to the perl app,
and then capture the output from perl, do some light processing on it,
and then embed that into the php page.
I know how to do it, but this is not a controlled environment like a
LAN or a personal PC, so I am very paranoid about the risks of making
the system() call with user-supplied input. I know I will need to
shellescapearg( ) the user-input. Are there any other checks you would
recommend? Perhaps checks against the length of the user-input?
ctype_alnum()? Anything else I'm not thinking of?
need to send user-entered search terms as parameters to the perl app,
and then capture the output from perl, do some light processing on it,
and then embed that into the php page.
I know how to do it, but this is not a controlled environment like a
LAN or a personal PC, so I am very paranoid about the risks of making
the system() call with user-supplied input. I know I will need to
shellescapearg( ) the user-input. Are there any other checks you would
recommend? Perhaps checks against the length of the user-input?
ctype_alnum()? Anything else I'm not thinking of?
Comment