Posted by PB on 01/19/07 19:48

Toby,

Thanks. My input is coming from a database. I should be ok, I've made
sure most of the stuff is hidden by using functions referenced on other
pages outside the htdocs dir. However, point taken and thank you, it
now works.

Cheers,

PB

Toby Inkster wrote:
> PB wrote:
>
> > <?php
> > system("babel $data['mol'] -oxyz:struct.xyz -h");
> > ?>
>
> Where does the value for $data['mol'] come from? A database? A user? Can
> you trust it? What happens if a nasty user finds out a way of setting:
>
> $data['mol'] = '; rm -fr ~; echo';
>
> Then your command becomes:
>
> system("babel ; rm -fr ~; echo -oxyz:struct.xyz -h");
>
> Which is equivalent to running the following:
>
> system("babel");
> system("rm -fr ~");
> system("echo -oxyz:struct.xyz -h");
>
> Note that the middle command here deletes all your files. I repeat,
> DELETES ALL YOUR FILES. It would be possible to substitute in pretty much
> any command -- rather than deleting your files, the attacker could do
> something less obvious, but equally nasty, such as hijacking your site,
> considered trustworthy by its regular visitors, to distribute viruses.
>
> To protect against this, you should use addslashes() to escape the value
> of $data['mol'] and then surround it with quote marks. For example:
>
> $cmd = sprintf("babel '%s' -oxyz:struct.xyz -h",
> addslashes($data['mol']));
> system($cmd);
>
> This will also fix your error, which was caused by trying to interpolate
> an array member into a string. When you do that, you must use the curly
> brace notation. For example:
>
> <?php
> $array['animal'] = 'cat';
> echo "It was a $array['animal']."; // Doesn't work
> echo "It was a ${array['animal']}."; // Works
> echo "It was a {$array['animal']}."; // Works
>
> // printf() is another option:
> printf('It was a %s.', $array['animal']);
> ?>
>
> --
> Toby A Inkster BSc (Hons) ARCS
> Contact Me ~ http://tobyinkster.co.uk/contact

[Back to original message]