Re: PHP Net Toolpack: input validation error

[Jon Ribbens <jon+bugtraq () unequivocal co uk>]

ppp-design <security () ppp-design de> wrote:
> You can use escapeshellcmd() to check the input for unwanted characters.
> So you can replace the bad line in the traceroute function with the
> following two lines:
>
> $sec_input=escapeshellcmd($a_query);
> exec("/sbin/traceroute $sec_input",$ret_strs);

Note that this does not do what you think it does. escapeshellcmd is
not the right function to use - at the very least, people can still
pass more than one parameter to traceroute when you only want them to
be able to pass one. The correct function to use is escapeshellarg.