I'm developing a web app where users will supply UTF8 text that will be rendered onto images using imagemagik. I'm calling the convert command through PHP's shell execute command.
I'm not well versed on sanitizing user input (for injection) for command line operations and have been having trouble finding resources about my exact situation.
The following article sounds like I don't have much to worry about if the user input is entirely enclosed in quotes in the bash command:
Sanitize user input in bash for security purposes
So my question is, what do I need to worry about for user sanitation/escaping in the following usage
<?php
//GET USER SUPPLIED POST DATA
$user_input = $_POST['text'];
//CALL IMAGEMAGIK VIA COMMAND LINE TO RENDER IMAGE
exec("convert -pointsize 50 -draw 'text 50,50 \"".$user_input."\" ' /source.png /output.png");
EDIT: Since posting I realized I should just be running imagemagick as an installed library in php... so now I guess, same question, but using the php object methods.
You can always put user input to a text file and then use @ filename prefix to read it. This way it won't make into a command line ever.