php-使用shell_exec()时,我的代码是否足够安全?
我正在对以下变量使用php-使用shell_exec()时,我的代码是否足够安全?,php,security,shell-exec,remotecommand,Php,Security,Shell Exec,Remotecommand,我正在对以下变量使用shell\u exec函数在shell上执行命令: fname(仅限字符) fpack(仅限字符) 电子邮件(有效的电子邮件地址) 我的代码是: <?php require_once 'connectionToDB.php'; $fname = mysqli_real_escape_string($dbc, filter_var(escapeshellarg($_POST['fname']), FILTER_SANITIZE_STRING)); $fpack =
shell\u exec
函数在shell上执行命令:
fname
(仅限字符)fpack
(仅限字符)电子邮件
(有效的电子邮件地址)<?php
require_once 'connectionToDB.php';
$fname = mysqli_real_escape_string($dbc, filter_var(escapeshellarg($_POST['fname']), FILTER_SANITIZE_STRING));
$fpack = mysqli_real_escape_string($dbc, filter_var(escapeshellarg($_POST['fpack']), FILTER_SANITIZE_STRING));
$email = mysqli_real_escape_string($dbc, filter_var(escapeshellarg($_POST['email']), FILTER_SANITIZE_EMAIL));
/** Verify name of applicaion **/
if(!ctype($fname)) {
$op = json_encode(array('type' => 'error', 'msg' => 'Application name must be in english alphabetical letters only'));
die($op);
}
if(strlen($fname)>20) {
$op = json_encode(array('type' => 'error', 'msg' => 'Application name must be less than 20 characters'));
die($op);
}
/** Verify name of package **/
if(!ctype($fpack)) {
$op = json_encode(array('type' => 'error', 'msg' => 'Package name must be in english alphabetical letters only'));
die($op);
}
if(strlen($fpack)>20) {
$op = json_encode(array('type' => 'error', 'msg' => 'Package name must be less than 20 characters'));
die($op);
}
/** Verify user's email **/
if (strlen($email)>50) {
$op = json_encode(array('type' => 'error', 'msg' => 'Email must be of less than 50 characters'));
die($op);
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$op = json_encode(array('type' => 'error', 'msg' => 'Please provide a valid email address.'));
die($op);
}
标准PHP中没有ctype
函数。这是一个自定义功能吗?通常,您必须根据您的数据模型区分数据验证(例如,电子邮件应仅为有效的电子邮件地址)和在处理过程中正确处理数据(例如,正确引用/转义命令行参数)。这是两个完全不同且独立的步骤。你把它们混在一起了。我投票把这个问题作为离题题来结束,因为这是一个重复的问题