I want input of alphanumeric string (sha1 - git commit ID). Is sanitizing with regexp /[^a-z0-9]/
, using preg_replace
with blank string enough to safely pass it to shell?
You're on the right track. You can use [^0-9a-f]
instead of [^0-9a-z]
to prevent someone from passing a non-hexadecimal character.
$arg = preg_replace('/[^0-9a-f]/', '', $arg);
if (strlen($arg) === 40) {
// We have a SHA-1 hash
shell_exec("git checkout {$arg}");
}
In general cases, escapeshellarg()
is what you want to use, but narrowing it down further for your specific use-case is a good idea as well.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.