[thelist] Safe mode and escapeshellcmd

Santilal Parbhu santilal at scorpioneng.co.nz
Tue Apr 18 05:25:45 CDT 2006

Hi Guys

I read in a book somewhere that it is a good idea to use the
escapeshellcmd() to clean user entered data.  This is supposed to reduce the
chances of a hacker entering control characters along with user data.  This
sounds like a good idea.  I have used the following code fragment to clean

function clean($input, $maxlength)
	$input = substr($input, 0, $maxlength);
	$input = EscapeShellCmd($input);
	return ($input);

This worked fine when I was testing my scripts with Apache running on my
laptop.  However, once I uploaded to an ISP hosted server, I ran into
problems.  They operate in safe mode, which also sounds sensible.  But
escapeshellcmd is disabled in  safe mode, or at least my ISP has disabled
it.  It seems strange to me that both of these mechanisms (i.e. operating in
safe mode and escapeshellcmd) are aimed at reducing the risk of attack, but
they don't appear to be compatible with each other.  Any comments?  Should I
just forget about using the clean function?



Santilal Parbhu
Scorpion Engineering Limited
PO Box 171

Phone 03 448 5421
Fax 03 448 5421
Mobile 021 265 5991
Web www.scorpioneng.co.nz

More information about the thelist mailing list