note
simon.proctor
Well for a start its coming from the outside world.
In my opinion all CGI programs should be able to run under taint mode before they get put onto a live server. All incoming data must be taint checked before being used. In this case we expect a string so we can strip everything that isn't and so remove all the nasty shell characters and \00.
<br><br>
In the context of the program above it might appear overkill but arguably its better to get into good habits early.
150612
150619