I recently found out about shell injection and I have codes that executes user inputs in shell environment I need to sanitize the input so that there is no backticks or other malicious strings. Is it enough to use str_replace() and remove them?
Asked
Active
Viewed 433 times
0
Ali Sh
- 117
- 1
- 7
2 Answers
0
Just replacing the backticks is not enough to safely pass a user-provided string to the shell, since there are other characters besides backticks that could cause trouble.
PHP has a built-in function you can use for that: escapeshellcmd
ebcode
- 124
- 1
- 5
0
Please check link below How to prevent code injection attacks in PHP?
you have plenty ways to achieve what you want. As you said "str_replace" can do the job. You can also use regex like
$Content = preg_replace("/&#?[a-z0-9]+;/i","",$Content);
Also you can use php_filters to validate inputs.
Amir Hedieh
- 1,120
- 1
- 14
- 28