Viewing a response to: @moisesmcardona/steemapi-php-python-open-source
hiveblocksHey!
I'm not PHP expert, but I think steemapi-php API has a huge security breach...
example code: https://github.com/moisesmcardona/steemapi-php-python/blob/master/steemapi-php/getFollowingCount/index.php
```
<?php
header("Content-Type: text/plain");
$account = $_GET['a'];
setlocale(LC_ALL, 'en_US.utf8');
putenv('LC_ALL=en_US.utf8');
echo(exec("python3 ../../steemapi-python/getFollowingCount.py $account"));
?>
```
Using exec calls is terrible idea when Steemit's API is available thru RPC/JSON calls and what is much much more dangerous, the above example code allows to inject any Bash command to run...
```
index.php?a=jamzed;rm -rf/
```
Please consider switching to Curl instead of running Python script and also please escape all input from users :)
You can find a lot of information how to make your code more secure on [Owasp Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) page.| author | jamzed |
|---|---|
| permlink | re-moisesmcardona-steemapi-php-python-open-source-20171120t220655195z |
| category | technology |
| json_metadata | {"tags":["technology"],"links":["https://github.com/moisesmcardona/steemapi-php-python/blob/master/steemapi-php/getFollowingCount/index.php","https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"],"app":"steemit/0.1"} |
| created | 2017-11-20 22:06:54 |
| last_update | 2017-11-20 22:06:54 |
| depth | 1 |
| children | 0 |
| last_payout | 2017-11-27 22:06:54 |
| cashout_time | 1969-12-31 23:59:59 |
| total_payout_value | 0.000 HBD |
| curator_payout_value | 0.000 HBD |
| pending_payout_value | 0.000 HBD |
| promoted | 0.000 HBD |
| body_length | 934 |
| author_reputation | 2,159,179,776,915 |
| root_title | Deleted |
| beneficiaries | [] |
| max_accepted_payout | 1,000,000.000 HBD |
| percent_hbd | 10,000 |
| post_id | 21,023,891 |
| net_rshares | 0 |
| author_curate_reward | "" |
| voter | weight | wgt% | rshares | pct | time |
|---|---|---|---|---|---|
| gokulnk | 0 | 0 | 100% |