Passing GET variable to php EXEC

Question

I've tried searching but haven't had much luck- apologies if this is answered somewhere.

I'm playing with a few bits and pieces and I was trying to pass a URL variable to EXEC. Here's what I was trying.. sc.exe is a program I have to pass a URL- the $GET_ID variable has to come from the URL

  $GET_ID =$_GET= ['myid'];
  exec('sc.exe --url=http://localhost/DS1/test.php?ID='.$GET_ID.'&TEST=1');
  echo $GET_ID;

When I try this code out- the GET variable doesn't seem to be passed, the program gets http://localhost/DS1/test.php?ID=&TEST=1'

I've done a bit of searching.. and this seems to be a restriction of sorts.. So what is the solution/ workaround ?

thanks

Stupid question ... but have you included the 'myid' in the query string with an actual value? Because it should work as you have it. — judda, Apr 24 '11 at 13:16

score 5 · Accepted Answer · answered Apr 24 '11 at 13:14

You have an extra = in your code. This should work:

$GET_ID = $_GET['myid'];

however, directly passing user data to the command line is highly dangerous! It allows an attacker to execute arbitrary commands on the command line.

You must use escapeshellarg():

$GET_ID = escapeshellarg($_GET['myid']);

score 1 · Answer 2 · answered Apr 24 '11 at 13:15

1

Just remove the = after $_GET.

answered Apr 24 '11 at 13:15

Jürgen Thelen

12,545
6
50
69

Passing GET variable to php EXEC

2 Answers2

Linked