Hi
I have a PHP app which takes a user-inputted $imageurl and does the following:
exec('convert "'.$url.'" -thumbnail 80x500 "images/out.jpg"');
Now obviously I have to take some precautions with this to stop users from executing arbitrary code. For example, if the user sets $url
to";rm -rf *;"
is no good at all.
So for starters I have to filter out "
so that no matter what they type in, they can't escape from their input being a parameter to convert
. But should I filter out ;
as well? I've seen urls with semicolons in them... and while the semicolon is really the danger here, filtering out "
would still keep me safe right? But can urls have "
in them? And are there any other characters I should watch for?
Maybe instead of filtering characters out I should try to escape them. So should I try to escape every character interpreted specially by the shell? Or just escape "
as everything else is sort of "pre-escaped" given that it's inside double-quotes?
Sorry for my rambling confusion, I'm just new at this and want to stay safe!
Thanks,
Mala