php-使用shell_exec()时我的代码是否足够安全?

时间:2015-02-25 15:28:54

标签: php security shell-exec remotecommand

我在以下变量上使用shell_exec函数来执行shell上的命令:

  1. fname(仅限字符)
  2. fpack(仅限字符)
  3. email(有效的电子邮件地址)

    4. 我的代码是:

    <?php

require_once 'connectionToDB.php';

$fname = mysqli_real_escape_string($dbc, filter_var(escapeshellarg($_POST['fname']), FILTER_SANITIZE_STRING));
$fpack = mysqli_real_escape_string($dbc, filter_var(escapeshellarg($_POST['fpack']), FILTER_SANITIZE_STRING));
$email = mysqli_real_escape_string($dbc, filter_var(escapeshellarg($_POST['email']), FILTER_SANITIZE_EMAIL));

/** Verify name of applicaion **/
if(!ctype($fname)) {
    $op = json_encode(array('type' => 'error', 'msg' => 'Application name must be in english alphabetical letters only'));
    die($op);
}
if(strlen($fname)>20) {
    $op = json_encode(array('type' => 'error', 'msg' => 'Application name must be less than 20 characters'));
    die($op);
}

/** Verify name of package **/
if(!ctype($fpack)) {
    $op = json_encode(array('type' => 'error', 'msg' => 'Package name must be in english alphabetical letters only'));
    die($op);
}
if(strlen($fpack)>20) {
    $op = json_encode(array('type' => 'error', 'msg' => 'Package name must be less than 20 characters'));
    die($op);
}

/** Verify user's email **/
if (strlen($email)>50) {
    $op = json_encode(array('type' => 'error', 'msg' => 'Email must be of less than 50 characters'));
    die($op);
}

if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $op = json_encode(array('type' => 'error', 'msg' => 'Please provide a valid email address.'));
    die($op);
}

    正如我所说我在这些变量上使用shell_exec,我害怕远程代码执行。我的代码是否足够安全以防止RCE?

0 个答案:

没有答案
相关问题
最新问题