?
Solved

Using escapeshellcmd.

Posted on 2005-04-18
14
Medium Priority
?
286 Views
Last Modified: 2012-06-27
I have two input boxes, username and password, I want to prevent any kind of scripts from being entered into the boxes, I believe you can disable any scripts entered using escapeshellcmd which puts forward slashes etc in.
Below I have the following variables, how would I go about doing the above. I would prefer to keep the variable names the same though.

<?php
    $username = $_POST['username'];
    $password = $_POST['password'];
      ?>
Thanks in advance.
0
Comment
Question by:jdav3579
  • 5
  • 4
  • 2
  • +3
14 Comments
 
LVL 7

Expert Comment

by:Promethyl
ID: 13809125
Why not just MD5 or SHA1 the value before comparing it.

Are you passing these values to the shelL?

0
 
LVL 6

Assisted Solution

by:alextr2003fr
alextr2003fr earned 500 total points
ID: 13809255
if you want to add escaping slashes to your variables try http://fr.php.net/addslashes
example :
<?php
    $username = addslashes($_POST['username']);
    $password = addslashes($_POST['password']);
?>
but IMHO it only should be done if you put your variables in a database
for example to avoid any *sql injections attacks
Also try to see : stripslashes(), get_magic_quotes_gpc()
0
 
LVL 32

Accepted Solution

by:
ldbkutty earned 500 total points
ID: 13809463
Since the username & password are database related things, mysql_real_escape_string() is better than addslashes().
 
I recommend to use the quote_smart() function in the example 3 of this link: http://www.php.net/mysql_real_escape_string with which stripslashes and get_magic_quotes_gpc are also covered.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jdav3579
ID: 13809935
I like the MD5'ing the variables first, this seems like the best way. Have never used MD5 before, any suggestions. Thanks all for your comments.
0
 
LVL 20

Expert Comment

by:virmaior
ID: 13809981
I would tend to agree with all three of the posters here.

as far as I can tell, escapeshellcmd is not really useful for what you're trying to do...
http://us2.php.net/manual/en/function.escapeshellcmd.php
it's meant to guard against letting people EXECUTE dangerous commands on your shell (unix equivalent of command.com/cmd.exe [for these purposes])

I use the technique promethyl describes and also mysql_real_escape_string() anything that's getting fed to MySQL


0
 
LVL 5

Expert Comment

by:dougday
ID: 13811427
Yes, I would agree with the MD5 of the variables also (If you like this, give points to Promethyl):

Something like this:

$salt = "some_random_text_that_nobody_can_guess_1zk#92k!!";
<?php
    $username = md5($_POST['username'] . $salt);
    $password = md5($_POST['password'] . $salt);
?>

-Doug
0
 
LVL 5

Expert Comment

by:dougday
ID: 13811434
Oops, put the $salt line inside the <?php tag.
0
 
LVL 20

Expert Comment

by:virmaior
ID: 13811594
dougday - that's not really the way you do it...
you MD5 the password on the client side using javascript
otherwise you aren't reaping any security benefits.
0
 
LVL 5

Expert Comment

by:dougday
ID: 13811610
True, I assumed use of ssl.  (I guess I should stop assuming ;)
0
 
LVL 5

Assisted Solution

by:dougday
dougday earned 500 total points
ID: 13811614
I've never seen md5 in javascript -- do you have an example?
0
 
LVL 20

Assisted Solution

by:virmaior
virmaior earned 500 total points
ID: 13811629
I've got the code at work. (so tomorrow)
0
 
LVL 5

Expert Comment

by:dougday
ID: 13811634
Why thank you :)
0
 
LVL 7

Expert Comment

by:Promethyl
ID: 13811795
>I use the technique promethyl describes and also mysql_real_escape_string() anything that's getting fed to MySQL

Thank you. Although MD5 is insecure. Use SHA-1 or better.


http://us3.php.net/sha1

sha1

(PHP 4 >= 4.3.0, PHP 5)
sha1 -- Calculate the sha1 hash of a string
Description
string sha1 ( string str [, bool raw_output] )

Calculates the sha1 hash of str using the US Secure Hash Algorithm 1, and returns that hash. The hash is a 40-character hexadecimal number. If the optional raw_output is set to TRUE, then the sha1 digest is instead returned in raw binary format with a length of 20.

    Note: The optional raw_output parameter was added in PHP 5.0.0 and defaults to FALSE

Example 1. A sha1() example
<?php
$str = 'apple';
                   
if (sha1($str) === 'd0be2dc421be4fcd0172e5afceea3970e2f3d940') {
   echo "Would you like a green or red apple?";
   exit;
}
?>

See also sha1_file(), crc32(), and md5()
0
 
LVL 20

Expert Comment

by:virmaior
ID: 13815237
I was hoping I had a link for the js (I didn't write it).

this link has MD-5, SHA-1, etc. in JavaScript

http://pajhome.org.uk/crypt/md5/
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month13 days, 21 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question