1

I've tried searching but haven't had much luck- apologies if this is answered somewhere.

I'm playing with a few bits and pieces and I was trying to pass a URL variable to EXEC. Here's what I was trying.. sc.exe is a program I have to pass a URL- the $GET_ID variable has to come from the URL

  $GET_ID =$_GET= ['myid'];
  exec('sc.exe --url=http://localhost/DS1/test.php?ID='.$GET_ID.'&TEST=1');
  echo $GET_ID;

When I try this code out- the GET variable doesn't seem to be passed, the program gets http://localhost/DS1/test.php?ID=&TEST=1'

I've done a bit of searching.. and this seems to be a restriction of sorts.. So what is the solution/ workaround ?

thanks

Improve this question
1
  • Stupid question ... but have you included the 'myid' in the query string with an actual value? Because it should work as you have it. Commented Apr 24, 2011 at 13:16

2 Answers 2

Reset to default
5

You have an extra = in your code. This should work:

$GET_ID = $_GET['myid'];

however, directly passing user data to the command line is highly dangerous! It allows an attacker to execute arbitrary commands on the command line.

You must use escapeshellarg():

$GET_ID = escapeshellarg($_GET['myid']);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Just remove the = after $_GET.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.