|
|
|
|
|||||||
| Forums | Portal | Register | Forum Rules | FAQ | Contribute | Members List | Arcade | Search | Today's Posts | Mark Forums Read |
| High Level Programming Post questions about C, C++, Java, SQL, and other programming languages here. |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| "unexpected end of file" when Iīm use EOF inside block if | ricardo.ludwig | Shell Programming and Scripting | 4 | 03-28-2008 11:45 AM |
| Explain the line "mn_code=`env|grep "..mn"|awk -F"=" '{print $2}'`" | Lokesha | UNIX for Dummies Questions & Answers | 4 | 12-19-2007 09:52 PM |
| check input = "empty" and "numeric" | geoffry | Shell Programming and Scripting | 6 | 12-13-2007 01:12 AM |
| a weird issue with "while" block | sleepy_11 | Shell Programming and Scripting | 7 | 08-06-2007 08:33 PM |
| Maximum input file size in "Diff" Command | Neeraja | UNIX for Dummies Questions & Answers | 1 | 01-17-2007 06:09 AM |
 |
|
|
Submit Tools | LinkBack | Thread Tools | Display Modes |
06-19-2006
|
|||
|
|||
|
Block ";" in input string
To prevent injection, I want to exit the attached routine if a semi-colon is in the input string. I am using gcc as the compiler.
#include<stdio.h> #include<stdlib.h> int sysrun(char *command) { int num; char str[80]; char process[39] = "/xxxx/xxxx/xxxxx/xxxxx/xxxxxx2unix.sh "; num=0; strcpy(str,process); strncat(str,command,35); num = system(str); return num; } Any thing that is passed via the command string, will be appended as replacement values on the command line. What I want to do is detect if a ";" is in the command string so that I can exit the application without allowing injection. Any help would be appreciated. 
|
| Forum Sponsor | ||
|
|
|
06-19-2006
|
||||
|
||||
|
I don't quite get what you are trying to do, but this is probably what you want.
Code:
if(strstr(command,";")) {
fprintf(stdout,"command strings has a ';' in it!\n");
exit(-1);
}
|
|
06-19-2006
|
||||
|
||||
|
Shells let you do stuff like this:
command1 ; command2 and that is exactly what you want to prevent. But what about: command1 && command2 command || command2 One of those would work, depending on the exit code from your shell script. This is probably legal too: command1 & command2 And there are other variants. The best way to protect yourself is to get rid of system() and instead just fork() and exec().
|
|
06-20-2006
|
|||
|
|||
|
I am passing a command line option to an oracle external procedure script. Internally the shell script will parse the command line option, but I needed to protect my invokation from imbedded unix commands, which is why I wanted to exit on a semi colon.
|
|
06-20-2006
|
|||
|
|||
|
I think I get what you want.
Code:
#!/bin/ksh echo "$@" | grep -q ';' if [ $? -eq 0 ] ; then echo "invalid parameters" exit 1 fi
|
|
06-20-2006
|
|||
|
|||
|
Quote:
|
|
06-20-2006
|
|||
|
|||
|
ok -
Code:
for(i=1;i<argc;i++)
{
if(strchr(argv[i],';')!=NULL)
{
fprintf(stderr,"%s\n","invalid parameter");
exit(EXIT_FAILURE);
}
}
|
|||
| Google The UNIX and Linux Forums |
Tetris Champion!
Linear Mode
