Re: injection
- Posted by CChris Jul 13, 2008
- 714 views
Shawn Pringle said...
system( ... , int )
Instead of passing a string with system() a better function should take what would be formated like the return value of command_line().
shell_execute( { "/bin/rm", file_name } ) illistrative use only
There are all kinds of problems using system( "rm file_name", 0 ). Imagine if the user installs the program under Program Files and this call is for deleting for an uninstall. The system answers as it cannot find the file c:\Programs.
Shawn
system( "rm \"file_name\"", 0 )
Not good? CChris
btw I have cookies enabled, but still asked for my name.