Legacy ImageMagick Discussions Archive

Sir
This is the example script i got from imagemagick website.
How safe is this script?

If i run this script from php using exec("convert dragon.gif -gravity South -background Plum -splice 0x18 -annotate +0+2 'Faerie Dragon' anno_splice.gif"); from getting user input for text. Can they run any malicious text?
Please advice

Your PHP command will allow a user to execute any command on your machine. I am no PHP expert but I think you need to use the following function: http://us3.php.net/manual/en/function.e ... ellarg.php to prevent the user from doing that.

Thanks for the advice.
Can you please tell what kind of input if i give can run such a malicious command?

So i can test the same command with escapeshellarg.

Like all user input you need to validate it whether it is text or image uploads.

For an answer to your last question I recommend going to a web design forum as it is not an Imagemagick question.

Sir,

There is no image uploading option.
The user can just fill the text they want.
They are allowed to fill any text.

I will just try to output the command to screen with and without escapeshellarg.
So i can better understand what is happening.

The users on this forum are here for Imagemagick information and use a variety of different codes.

As the exec( ) problem you are asking about can be used in any php code not just Imagemagick I was recommending you went to a forum where there will be experts in php who can answer your question more fully.

I am not trying to force you away; I just think you will get a more information elsewhere.

I thought exec is more related with linux.
I will get advice from php users.

Thank you sir.

Does imagic have limited features? Or can i use all the things i do with exec?

Yes Imagick does have limited features and is not that well maintained but it would probably do what you want.

You could check out this site for examples: http://phpimagick.com/

Sir,

I am using escapeshellarg.
I tried to use escapeshellcmd in windows and it is working fine.

But in my linux server, after adding escapeshellarg, the generated images having a single quotes.
I have attached the image.

You need to post your code; I assume you are using single quotes around your text; try normal quotes instead.

escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input.

Thank you sir.
When i rewrite the code, i used single quotes.
After changing them to double quotes, it is working very good.