Hi JB,
That’s a pretty crazy web hosting company. PHP allows you to disable any function you like. But all the escapeshellarg function does is take a sequence of text, and turns it into another sequence of text, by adding backslashes before various characters in the sequence. Turning one sequence of text into another is not a security sensitive operation of any kind. So, disabling that function “for security reasons” is a very odd thing to do.
On that particular line it doesn’t matter. It’ll just cause database backups to run more slowly.
David
Thanks David.. I’ll pass the word along. Appreciate the prompt response.
Hi,
I guess that the hosting company has disabled such function because of actual security issues with it… you can read more here, for example: http://baesystemsdetica.blogspot.it/2013/11/security-issues-with-using-phps.html
Also a hosting company where I have some sites disables escapeshellarg…
A solution proposed for similar problem can be found here: http://stackoverflow.com/questions/14095339/codeigniter-escapeshellarg-has-been-disabled-for-security-reasons
David, maybe you can provide a switch in your plugin that allows to choose between the standard escapeshellarg and a rewritten one :), or to automatically use the rewritten one in case the standard function is not available…
Hope this helps.
Hi russelyeti,
As mentioned, the disabling of escapeshellarg causes no problem other than loss of speed in the UD database backup. The message can be safely ignored.
I don’t really want to have a debate about that blog post… the blogger notes that the PHP security team informed him that he’d misunderstood the matter, and that was my view too.
Disabling a function and then asking coders to write their own function *which does exactly the same thing* (as in the StackExchange link) makes no sense. If the function is dangerous, then a function which does exactly the same thing would be equally dangerous.
David
ok, agree.
Thank you for your reply
