|
|
Posted by Jon Ribbens on 05/22/06 15:25
In article <446fd2de@212.67.96.135>, Dave (from the UK) wrote:
> I'm trying to writer a form
>
> which
>
> 3) Passes the lot to the maths program.
Danger Will Robinson! You are sailing *very* dangerous waters here.
The chances of you not ending up with a script which will let anyone
in the world run any shell command they want on your web server are
extremely slim.
Taking just the shell escaping issues, as Owen Rees has said the best
solution is to avoid them completely by using only a static command
line and passing your user data on a stream such as stdin instead.
If you cannot do this, then the function you want is escapeshellarg,
which I designed precisely for this purpose:
http://uk.php.net/escapeshellarg
(Although the moronic PHP developers managed to break the
implementation, it still more-or-less works.)
However, as you yourself have pointed out, Mathematica has a "!" shell
escape command (along with many other dangerous functions, no doubt).
So it's not just the shell you have to be worried about here, it's
Mathematica iteslf as well.
Basically, you must consider this web form as equivalent to giving
anyone who can access it a shell login on your web server. If that's
ok, go ahead. Otherwise, just give up. You cannot do what you are
trying to do.
Navigation:
[Reply to this message]
|