Re: [PHP] securing a script that exec()s

2012-03-31 Thread tamouse mailing lists
On Sat, Mar 31, 2012 at 1:37 AM, rene7705 wrote: > escapeshellcmd() seems simplest. It might be if all you care about are shell meta characters, and admittedly it will save you from someone entering "& rm -rf / &" in your input field. But dealing with generic user input, even escaped, can still b

Re: [PHP] securing a script that exec()s

2012-03-30 Thread tamouse mailing lists
On Fri, Mar 30, 2012 at 7:05 AM, David OBrien wrote: > Find a way to do it using PHP's imagemagick extensions > > http://php.net/manual/en/book.imagick.php > > On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > >> Hi. >> >> I have a script that uses imagemagick's convert command on the commandlin

Re: [PHP] securing a script that exec()s

2012-03-30 Thread Mike Mackintosh
On Mar 30, 2012, at 9:25 AM, rene7705 wrote: > On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer wrote: > >> On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: >>> ... >>> But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and >>> $_SERVER['SERVER_ADDR'] is my internal IP. >>> >>>

Re: [PHP] securing a script that exec()s

2012-03-30 Thread rene7705
On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer wrote: > On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: > > ... > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > > $_SERVER['SERVER_ADDR'] is my internal IP. > > > > How would I best fix this? > > Simply log on your bo

Re: [PHP] securing a script that exec()s

2012-03-30 Thread David OBrien
Sender: dgobr...@gmail.com Subject: Re: [PHP] securing a script that exec()s Message-Id: Recipient: adam.nicho...@hl.co.uk __ This email has been scanned by the Symantec Email Security.cloud service. For more information please

Re: [PHP] securing a script that exec()s

2012-03-30 Thread Peter Bauer
On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: > ... > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? Simply log on your box via ssh (if its a unix system) and run your script from console o

Re: [PHP] securing a script that exec()s

2012-03-30 Thread David OBrien
Find a way to do it using PHP's imagemagick extensions http://php.net/manual/en/book.imagick.php On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]

Re: [PHP] securing a script that exec()s

2012-03-30 Thread Bastien
Bastien Koert On 2012-03-30, at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]') take params from the end-user via a > html form, so is very unsecure. > > The inten