On 15/09/15 18:23, Anthony Ferrara wrote:
Third, it ignores context. This is related to the first two, but I
think is a separate concern. An example from the taint RFC
(https://wiki.php.net/rfc/taint) is the shell-execution. If the
variable is used in the context of command, one escape function is
needed. If it's used as an argument, another is needed. Detecting
which is not something that's trivial for a language-level taint
function. (…)
Actually, you almost always will want escapeshellarg(). escapeshellcmd()
_might_ be useful for a code like the function example, where you want the
user to explicitely provide *several* parameters, *and* you somehow
don't want
to split by spaces and apply escapeshellarg to each. And even then,
there are
non-working edge-cases awaiting to bite you, as shown in the comments.
You have a good point, but escapeshellcmd or "let's change the SQL encoding"
are things that you better avoid, security-wise.
Best regards
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
