HarbinBeer
New Member
I have a PHP app which takes a user-inputted $imageurl and does the following:\[code\]exec('convert "'.$url.'" -thumbnail 80x500 "images/out.jpg"');\[/code\]Now obviously I have to take some precautions with this to stop users from executing arbitrary code. For example, if the user sets \[code\]$url\[/code\] to\[code\]";rm -rf *;"\[/code\] is no good at all.So for starters I have to filter out \[code\]"\[/code\] so that no matter what they type in, they can't escape from their input being a parameter to \[code\]convert\[/code\]. But should I filter out \[code\];\[/code\] as well? I've seen urls with semicolons in them... and while the semicolon is really the danger here, filtering out \[code\]"\[/code\] would still keep me safe right? But can urls have \[code\]"\[/code\] in them? And are there any other characters I should watch for?Maybe instead of filtering characters out I should try to escape them. So should I try to escape every character interpreted specially by the shell? Or just escape \[code\]"\[/code\] as everything else is sort of "pre-escaped" given that it's inside double-quotes?Sorry for my rambling confusion, I'm just new at this and want to stay safe!Thanks,
Mala
Mala