防止用户注入,通过命令行运行imagemagick

我正在开发一个网络应用程序,用户将提供将使用imagemagik渲染到图像上的UTF8文本。 我通过PHP的shell执行命令调用convert命令。</ p>

我不太熟悉用于命令行操作的用户输入(注入)的清理,并且一直无法找到有关 我确切的情况。</ p>

以下文章听起来好像我没有太多担心用户输入是否完全用bash命令中的引号括起来:</ p>
\ n

出于安全考虑,以bash方式清理用户输入 </ p>

所以我的问题是,在以下用法中我需要担心用户的卫生/转义</ p>

 &lt;?php  

//获取用户提供的发布数据
$ user_input = $ _POST ['text'];

//通过命令行向IMENDEMAGIK建立图像
exec(“convert -pointsize 50 -draw” text 50,50 \“”。$ user_input。“\”'/ source.png /output.png");


nn

EDIT:自发布以来我意识到我 应该只是运行 ning imagemagick作为php中安装的库...所以现在我想,同样的问题,但使用php对象方法。</ p>
</ div>

展开原文

原文

I'm developing a web app where users will supply UTF8 text that will be rendered onto images using imagemagik. I'm calling the convert command through PHP's shell execute command.

I'm not well versed on sanitizing user input (for injection) for command line operations and have been having trouble finding resources about my exact situation.

The following article sounds like I don't have much to worry about if the user input is entirely enclosed in quotes in the bash command:

Sanitize user input in bash for security purposes

So my question is, what do I need to worry about for user sanitation/escaping in the following usage

    <?php

    //GET USER SUPPLIED POST DATA
    $user_input = $_POST['text'];

    //CALL IMAGEMAGIK VIA COMMAND LINE TO RENDER IMAGE
    exec("convert -pointsize 50 -draw 'text 50,50 \"".$user_input."\" ' /source.png /output.png");

EDIT: Since posting I realized I should just be running imagemagick as an installed library in php... so now I guess, same question, but using the php object methods.

1个回答



您始终可以将用户输入放入文本文件,然后使用@ filename前缀来读取它。 这样它就不会进入命令行。</ p>

  $ user_input = addslashes($ user_input); 
file_put_contents(“input.txt”,“text 50,50 $ user_input“);
exec(”convert -pointsize 50 -draw @ input.txt /source.png /output.png");

</ div>

展开原文

原文

You can always put user input to a text file and then use @ filename prefix to read it. This way it won't make into a command line ever.

$user_input = addslashes($user_input);
file_put_contents("input.txt", "text 50,50 $user_input");
exec("convert -pointsize 50 -draw @input.txt /source.png /output.png");

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问