Long ago, I used to do SQL queries like:
SELECT * FROM table WHERE id = ' . attempt_to_escape($_GET['id']) . ' ORDER BY timestamp DESC LIMIT 1;
This was horribly scary and I probably messed it up by using/not using quotes or not checking the character encoding properly and a thousand other things. SQL injections. I can't believe this method was ever used, let alone taught.
Today, I always do:
SELECT * FROM table WHERE id = $1 ORDER BY timestamp DESC LIMIT 1;
And the $1 (which is not a PHP variable) refers to separately sent data, in this case $_GET['id']. That is, it isn't part of the actual SQL query and is not escaped in any way by me; it's all handled properly by the database.
However, I still am forced to do terminal commands such as:
whatever.exe --scary-option="' . escape_terminal_argument($untrusted_user_input) . '"
I fear that this, even more so than the SQL stuff, could allow somebody to run arbitrary commands on my machine. Is there really no such thing as "parameterized terminal commands"?
I wanna be able to do:
whatever.exe --scary-option="$1"
And then separately send the $1 (which is not a PHP variable) somehow.
I don't think this is possible, but I still wonder:
- Is it?
- If so, how?
- If not, why isn't it?
I wonder this for "all OSes", primarily in a CLI PHP context.
