FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Exec Security
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Exec Security [message #179010 is a reply to message #179009] Mon, 03 September 2012 04:55 Go to previous messageGo to previous message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma:
Senior Member
Ryan wrote:

> IMO I see no security issue with exec() in this setup. The command in exec() is hardcoded, not using any user inputs.
> Someone would have to find a way to write their own php script to use exec() and get it uploaded into my vhost to cause any problems.
> If they can manage to do that that can cause enough issues even with exec() disabled.

I have seen quite many times when a host with exec enabled and user code don't
have any exec calls, where a someone managed to use trigger eval and then
executed exec. I see both exec (and similar) and eval as no no in a web
server. There will always come a day when you want to add something more and
suddenly you have something that will allow things to go wrong, I think it's
better to do a more solid solution from start, even if it takes more work, no
matter if you do use a database or a message queue.

But it's your system, so you decide how you want to do things.


--

//Aho
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Is PDO an abstraction layer?
Next Topic: Net Connect API -php
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 06:23:27 GMT 2024

Total time taken to generate the page: 0.04530 seconds