Security of executing a command from php

Posted by Nicolò Martini on Stack Overflow See other posts from Stack Overflow or by Nicolò Martini
Published on 2010-05-04T10:00:54Z Indexed on 2010/05/04 10:08 UTC
Read the original article Hit count: 295

Filed under:

php

|

exec

|

security

I'm writing a web application in which i use several thirdy party commands calling them with the exec function in PHP (for example, I render Latex formulas through a command-line program).

My question is: what are the security issues of executing external command-line programs in php? What I have to be aware of? Can you give me a list of points to check?

Thanks in advance.

© Stack Overflow or respective owner

Related posts about php

Magento, NGINX, PHP-FPM, APC, MEMCACHED, 16gb Ram CentOS, Spiking PHP-FPM to 100% CPU

as seen on Server Fault - Search for 'Server Fault'
I have been trying to resolve my issue of spiking cpu caused by php-fpm processes. I've reduced the php-fpm config settings to: pm = ondemand pm.max_children = 12 pm.start_servers = 2 pm.min_spare_servers = 2 pm.max_spare_servers = 10 pm.max_requests = 500 php_admin_value[memory_limit] = 128M Problem… >>> More
PHP Pear Installation on CentOS

as seen on Server Fault - Search for 'Server Fault'
[root@ip ~]# yum install php-pear* Reducing CentOS-5 Testing to included packages only Finished Setting up Install Process Package 1:php-pear-1.8.1-2.el5.centos.noarch already installed and latest versio … >>> More
Apache configurations for php "AddType text/html php" or "AddType application/x-httpd-php php .php"

as seen on Server Fault - Search for 'Server Fault'
I am taking over an application server and discover that it contain the following settings: AddType text/html php Although it works, but my understanding is that it should set as following: AddType application/x-httpd-php php .php What are the key differences between the two settings?… >>> More
mod_rewrite settings causes server to throw HTTP 500 errors instead of 404

as seen on Server Fault - Search for 'Server Fault'
Hello. I have a server with VBulletin forum (working under Apache 2.2, CentOS). The default settings for it in .htaccess are as follows: RewriteEngine on RewriteCond %{HTTP_HOST} ^gsmforum\.ru RewriteRule (.*) http://www.gsmforum.ru/$1 [R=301,L] # If you are having problems or are using VirtualDocumentRoot… >>> More
Problems installing Memcache (PECL extension)

as seen on Server Fault - Search for 'Server Fault'
I have installed memcached fine, and now I will need to install PECL extension memcache. Im running RedHat x86_64 es5. The installation gives me this: downloading memcache-2.2.6.tgz ... Starting to download memcache-2.2.6.tgz (35,957 bytes) ..........done: 35,957 bytes 11 source files, building running:… >>> More

Related posts about exec

Error during maven/ant build: "[java] Timestamp response not valid"

as seen on Stack Overflow - Search for 'Stack Overflow'
My maven build started failing randomly, and it got the following error which I cannot make sense of, and googling it doesn't give me anything useful: [echo] Creating a full package... [java] Timestamp response not valid [INFO] ------------------------------------------------------------------------ [ERROR]… >>> More
CCNet and .Net 4.0

as seen on Stack Overflow - Search for 'Stack Overflow'
Could not load file or assembly 'System.Data' or one of its dependencies. An attempt was made to load a program with an incorrect format We have just upgraded one of our projects to .Net 4.0 and have re-configured our build server (Cruise Control .Net). Anyone help with the above error?… >>> More
in x64 Windows is there a way to run a Runtime.exec() process avoiding 'Registry redirection'

as seen on Stack Overflow - Search for 'Stack Overflow'
Our app runs in jvm 32 bit, even when in windows x64. Now, at some point, I need to access some registry values, for example HKEY_LOCAL_MACHINE/SOFTWARE/mycomp. I do this by executing cmd /C reg query HKEY_LOCAL_MACHINE\SOFTWARE\mycop from Runtime.exec() and parsing the output. This works fine… >>> More
Uploading a file through exec, hanging script

as seen on Stack Overflow - Search for 'Stack Overflow'
Basically in a nutshell is I am using exec() to run WinSCP, which is causing the script to hold until the file is uploaded. Is there anyway to make it so that the script continues, and the upload runs in the background? Running PHP 5.3.1 on Win7. >>> More
PHP exec() on windows not working

as seen on Stack Overflow - Search for 'Stack Overflow'
Hey, I'm trying to execute a program on windows through PHP, the command is posted below. This doesn't seem to be running through the script at all, even though it works when the command is manually entered into the command prompt. exec('C:\\ffmpeg -i ' . $movedfile . ' -acodec aac -ab 128k -vcodec… >>> More