Sanitize string upon form submit

[southbeach]

I am working on a script in SCO Unix running PHP as a web front end. From the PHP script, I am running a shell script to which I am passing as parameter value submitted through a form.

Given $_POST['varA'], I need to make sure that this does not contain any special characters known to break commands or open shells in unix.

I figure these are to be removed:

; ` ' " / \

I want to make sure that if passing said variable in the form of

$x='/usr/local/bin/myScript "'.$_POST['varA'].'" > /dev/null 2>/dev/null'; system ($x);

I am not leaving an open opportunity for injections where
a) the code could be made to fail
b) potential executable commands could be inserted

Of course, the script I am running reads $1 as a variable and does not execute it at all nor does it use the variable content within an executed string. I am just taking the parameter and passing it forward to a home grown application to produce results expected by web query.

I am enclosing the variable within quote to make sure that the entire field content is passed as a single variable but if I do not remove single quotes, double quotes or other characters, I am facing a time bomb.

Thanks,


--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[feherke]

Hi

Also take care of dollar sign ( $ ) to avoid executing something like :

$( shutdown -h now )

Even if your script handles its parameters as string values, the shell would expand the above before passing it to your script.

Feherke.

http://rootshell.be/~feherke/