安全执行 shell 脚本；在执行前转义变量 [英] Safe executing shell scripts; escaping vars before execution

问题描述

假设我们有一个简单的 php 脚本，它应该从 $_GET 数组中获取 ssh_host、ssh_username、ssh_port 并尝试使用连接将此参数传递给 SSH.

Let's imagine that we have a simple php script that should get ssh_host, ssh_username, ssh_port from $_GET array and try to connect using this parameters to SSH.

$port      = escapeshellcmd($_GET['ssh_port']);
$host      = escapeshellcmd($_GET['ssh_host']);
$username  = escapeshellcmd($_GET['ssh_username']);

$answer = shell_exec("ssh -p " . $port . " " . $user . "@" . $host);

escapeshellcmd() 是否足够，或者我需要一些更棘手的东西?或者我应该在这个例子中使用 escapeshellarg() ?

Is escapeshellcmd() enough or I need something more tricky? Or maybe I should use escapeshellarg() in this example?

谢谢.

推荐答案

我想说这就是 escapeshellarg 函数已创建用于 -- 因此，要转义参数，您应该使用该函数.

I would say that this is what the escapeshellarg function has been created for -- so, to escape parameters, that's the one you should be using.

基本上:

• 要转义一个参数，请使用 escapeshellarg
• 要转义整个命令，请使用 escapeshellcmd.

引用他们各自的文档:

Quoting their respective documentations :

escapeshellcmd() :
这个函数应该用于确保来自用户输入的任何数据在这些数据被传递给 exec() 或 system() 函数之前被转义，或给反引号运算符.

escapeshellarg() :
这个函数应该用于将单个参数转义到来自用户输入的shell函数.

escapeshellcmd() :
This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions, or to the backtick operator.

escapeshellarg() :
This function should be used to escape individual arguments to shell functions coming from user input.

这篇关于安全执行 shell 脚本；在执行前转义变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！