GCIH Question #53: Real Exam Question with Answer & Explanation

The correct answer is A: escapeshellarg(). PHP provides escapeshellarg() and escapeshellcmd() to sanitize user input before it is passed to shell commands, directly mitigating command injection. Functions like htmlentities() and strip_tags() address HTML/XSS vulnerabilities, not shell injection.

Web Application Attacks & Post-Exploitation

Question

Which of the following functions can you use to mitigate a command injection attack? Each correct answer represents a part of the solution. Choose all that apply.

Options

Aescapeshellarg()
Bescapeshellcmd()
Chtmlentities()
Dstrip_tags()

Explanation

PHP provides escapeshellarg() and escapeshellcmd() to sanitize user input before it is passed to shell commands, directly mitigating command injection. Functions like htmlentities() and strip_tags() address HTML/XSS vulnerabilities, not shell injection.

Common mistakes.

C. htmlentities() converts special characters to their HTML entity equivalents, which protects against Cross-Site Scripting (XSS) in HTML output but has no effect on how the shell parses commands.
D. strip_tags() removes HTML and PHP tags from a string to defend against tag-based XSS injection in web output, and provides no protection against shell metacharacter abuse in command injection scenarios.

Concept tested. PHP shell sanitization functions for command injection prevention

Reference. https://www.php.net/manual/en/function.escapeshellarg.php

Topics

#command injection#input sanitization#escapeshellarg#escapeshellcmd

Community Discussion

No community discussion yet for this question.

Full GCIH Practice