On Sunday 31 March 2002 06:51 pm, you wrote: > What are the chances of that, and how could it be dealt with? > Can such attempts be detected and stopped? Yes, read up on escaping dangerous characters. Basically, here's the scenario... You do: system("command $userinput"); and for $userinput, the user gives you: "myemail@xxxxxxxxxx && rm -rf /" So in turn, your command really becomes: system("command myemail@xxxxxxxx && rm -rf /"); Thus removing all files on the system owned by the user executing the script. Thanks to UNIX design, however, you'll only be removing the files the script runs as, generally the web server user, generally "nobody." Still, that's a problem. John -- # John Madden weez@xxxxxxxxxxxxx ICQ: 2EB9EA # FreeLists, Free mailing lists for all: //www.freelists.org # UNIX Systems Engineer, Ivy Tech State College: http://www.ivy.tec.in.us # Linux, Apache, Perl and C: All the best things in life are free! --------------------------------------------------------------------------- ----- Computer Talk Shop http://www.computertalkshop.com Un-subscribe/Vacation, http://questforcertification.com/cts/list_options.htm List HowTo: http://questforcertification.com/cts/faq To join Computer Talk Shop's off topic list, please goto: http://questforcertification.com/cts/other_cts_lists.htm --------------------------------------------------------------------------- ------