jdav3579
asked on
Using escapeshellcmd.
I have two input boxes, username and password, I want to prevent any kind of scripts from being entered into the boxes, I believe you can disable any scripts entered using escapeshellcmd which puts forward slashes etc in.
Below I have the following variables, how would I go about doing the above. I would prefer to keep the variable names the same though.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
?>
Thanks in advance.
Below I have the following variables, how would I go about doing the above. I would prefer to keep the variable names the same though.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
?>
Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I like the MD5'ing the variables first, this seems like the best way. Have never used MD5 before, any suggestions. Thanks all for your comments.
I would tend to agree with all three of the posters here.
as far as I can tell, escapeshellcmd is not really useful for what you're trying to do...
http://us2.php.net/manual/en/function.escapeshellcmd.php
it's meant to guard against letting people EXECUTE dangerous commands on your shell (unix equivalent of command.com/cmd.exe [for these purposes])
I use the technique promethyl describes and also mysql_real_escape_string() anything that's getting fed to MySQL
as far as I can tell, escapeshellcmd is not really useful for what you're trying to do...
http://us2.php.net/manual/en/function.escapeshellcmd.php
it's meant to guard against letting people EXECUTE dangerous commands on your shell (unix equivalent of command.com/cmd.exe [for these purposes])
I use the technique promethyl describes and also mysql_real_escape_string()
Yes, I would agree with the MD5 of the variables also (If you like this, give points to Promethyl):
Something like this:
$salt = "some_random_text_that_nob ody_can_gu ess_1zk#92 k!!";
<?php
$username = md5($_POST['username'] . $salt);
$password = md5($_POST['password'] . $salt);
?>
-Doug
Something like this:
$salt = "some_random_text_that_nob
<?php
$username = md5($_POST['username'] . $salt);
$password = md5($_POST['password'] . $salt);
?>
-Doug
Oops, put the $salt line inside the <?php tag.
dougday - that's not really the way you do it...
you MD5 the password on the client side using javascript
otherwise you aren't reaping any security benefits.
you MD5 the password on the client side using javascript
otherwise you aren't reaping any security benefits.
True, I assumed use of ssl. (I guess I should stop assuming ;)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Why thank you :)
>I use the technique promethyl describes and also mysql_real_escape_string() anything that's getting fed to MySQL
Thank you. Although MD5 is insecure. Use SHA-1 or better.
http://us3.php.net/sha1
sha1
(PHP 4 >= 4.3.0, PHP 5)
sha1 -- Calculate the sha1 hash of a string
Description
string sha1 ( string str [, bool raw_output] )
Calculates the sha1 hash of str using the US Secure Hash Algorithm 1, and returns that hash. The hash is a 40-character hexadecimal number. If the optional raw_output is set to TRUE, then the sha1 digest is instead returned in raw binary format with a length of 20.
Note: The optional raw_output parameter was added in PHP 5.0.0 and defaults to FALSE
Example 1. A sha1() example
<?php
$str = 'apple';
if (sha1($str) === 'd0be2dc421be4fcd0172e5afc eea3970e2f 3d940') {
echo "Would you like a green or red apple?";
exit;
}
?>
See also sha1_file(), crc32(), and md5()
Thank you. Although MD5 is insecure. Use SHA-1 or better.
http://us3.php.net/sha1
sha1
(PHP 4 >= 4.3.0, PHP 5)
sha1 -- Calculate the sha1 hash of a string
Description
string sha1 ( string str [, bool raw_output] )
Calculates the sha1 hash of str using the US Secure Hash Algorithm 1, and returns that hash. The hash is a 40-character hexadecimal number. If the optional raw_output is set to TRUE, then the sha1 digest is instead returned in raw binary format with a length of 20.
Note: The optional raw_output parameter was added in PHP 5.0.0 and defaults to FALSE
Example 1. A sha1() example
<?php
$str = 'apple';
if (sha1($str) === 'd0be2dc421be4fcd0172e5afc
echo "Would you like a green or red apple?";
exit;
}
?>
See also sha1_file(), crc32(), and md5()
I was hoping I had a link for the js (I didn't write it).
this link has MD-5, SHA-1, etc. in JavaScript
http://pajhome.org.uk/crypt/md5/
this link has MD-5, SHA-1, etc. in JavaScript
http://pajhome.org.uk/crypt/md5/
Are you passing these values to the shelL?