FUDforum: comp.lang.php » Exec Security

Home » Imported messages » comp.lang.php » Exec Security

Show: Today's Messages :: Polls :: Message Navigator

Re: Exec Security [message #179010 is a reply to message #179009]

Mon, 03 September 2012 04:55

J.O. Aho
Messages: 194
Registered: September 2010

Karma:

Senior Member

Ryan wrote:

> IMO I see no security issue with exec() in this setup. The command in exec() is hardcoded, not using any user inputs.
> Someone would have to find a way to write their own php script to use exec() and get it uploaded into my vhost to cause any problems.
> If they can manage to do that that can cause enough issues even with exec() disabled.

I have seen quite many times when a host with exec enabled and user code don't
have any exec calls, where a someone managed to use trigger eval and then
executed exec. I see both exec (and similar) and eval as no no in a web
server. There will always come a day when you want to add something more and
suddenly you have something that will allow things to go wrong, I think it's
better to do a more solid solution from start, even if it takes more work, no
matter if you do use a database or a message queue.

But it's your system, so you decide how you want to do things.

--

//Aho

Report message to a moderator

[Message index]

		Exec Security By: Ryan on Sat, 01 September 2012 01:49
		Re: Exec Security By: Jerry Stuckle on Sat, 01 September 2012 02:12
		Re: Exec Security By: J.O. Aho on Sat, 01 September 2012 06:54
		Re: Exec Security By: Ryan on Sat, 01 September 2012 09:51
		Re: Exec Security By: J.O. Aho on Sat, 01 September 2012 11:19
		Re: Exec Security By: Ryan on Sat, 01 September 2012 18:50
		Re: Exec Security By: Ryan on Sat, 01 September 2012 20:19
		Re: Exec Security By: Jerry Stuckle on Sat, 01 September 2012 20:26
		Re: Exec Security By: Ryan on Sat, 01 September 2012 21:11
		Re: Exec Security By: Jerry Stuckle on Sat, 01 September 2012 23:14
		Re: Exec Security By: Ryan on Sun, 02 September 2012 00:17
		Re: Exec Security By: J.O. Aho on Sun, 02 September 2012 07:25
		Re: Exec Security By: The Natural Philosoph on Sun, 02 September 2012 11:02
		Re: Exec Security By: Ryan on Mon, 03 September 2012 03:32
		Re: Exec Security By: Ryan on Mon, 03 September 2012 03:35
		Re: Exec Security By: Jerry Stuckle on Mon, 03 September 2012 03:43
		Re: Exec Security By: Ryan on Mon, 03 September 2012 03:53
		Re: Exec Security By: J.O. Aho on Mon, 03 September 2012 04:55
		Re: Exec Security By: J.O. Aho on Sat, 01 September 2012 21:23

Previous Topic:	Is PDO an abstraction layer?
Next Topic:	Net Connect API -php

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sun Nov 24 10:55:55 GMT 2024

Total time taken to generate the page: 0.05388 seconds