Re: php mail function bypass safe_mode restriction

[Jon Ribbens <jon+bugtraq () unequivocal co uk>]

Laurent Sintes <sintes () nfrance com> wrote:
> extra_cmd = php_escape_shell_arg(Z_STRVAL_PP(argv[4]));
>
> But it is not a suffisant check because php_escape_shell_arg
> does not escape all charaters.

False. escape_shell_arg will successfully escape all characters from
shells.