[thelist] Safe mode and escapeshellcmd
Santilal Parbhu
santilal at scorpioneng.co.nz
Tue Apr 18 05:25:45 CDT 2006
Hi Guys
I read in a book somewhere that it is a good idea to use the
escapeshellcmd() to clean user entered data. This is supposed to reduce the
chances of a hacker entering control characters along with user data. This
sounds like a good idea. I have used the following code fragment to clean
data.
<?php
function clean($input, $maxlength)
{
$input = substr($input, 0, $maxlength);
$input = EscapeShellCmd($input);
return ($input);
}
?>
This worked fine when I was testing my scripts with Apache running on my
laptop. However, once I uploaded to an ISP hosted server, I ran into
problems. They operate in safe mode, which also sounds sensible. But
escapeshellcmd is disabled in safe mode, or at least my ISP has disabled
it. It seems strange to me that both of these mechanisms (i.e. operating in
safe mode and escapeshellcmd) are aimed at reducing the risk of attack, but
they don't appear to be compatible with each other. Any comments? Should I
just forget about using the clean function?
Thanks.
Santilal
Santilal Parbhu
Scorpion Engineering Limited
PO Box 171
Alexandra
Phone 03 448 5421
Fax 03 448 5421
Mobile 021 265 5991
Web www.scorpioneng.co.nz
More information about the thelist
mailing list