GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Anyone familiar with perl stuff, how do you run this syntax?

raymor · 04-19-2009, 04:48 PM

Oh BTW if you are integrating into into some much larger PHP system, be EXTREMELY
careful to really, really sanitize any variables used in backticks or exec(). You MUST
decide which REGEX is allowed and allow only that. Attempting to remove specific bad
characters won't cut it at all. So far, I've never seen ANY PHP script whose exec()
sanitation couldn't be broken using one particular method, thereby giving the attacker
the ability to run arbitrary code, so seriously be careful using exec with PHP.

(For those who know enough to think they are doing it right, consider \0 and it's
6 encodings.)

04-19-2009, 04:48 PM
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Oh BTW if you are integrating into into some much larger PHP system, be EXTREMELY careful to really, really sanitize any variables used in backticks or exec(). You MUST decide which REGEX is allowed and allow only that. Attempting to remove specific bad characters won't cut it at all. So far, I've never seen ANY PHP script whose exec() sanitation couldn't be broken using one particular method, thereby giving the attacker the ability to run arbitrary code, so seriously be careful using exec with PHP. (For those who know enough to think they are doing it right, consider \0 and it's 6 encodings.) __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids