PHP exec安全吗? [英] Is PHP exec safe?

问题描述

我试图让exec在Windows服务器上工作，并收到错误消息无法分叉".仔细研究了该问题之后，似乎建议的解决方法是为IUSR帐户授予对c:\ Windows \ System32 \ cmd.exe的读取和执行权限.

I am trying to get exec working on a Windows server and receiving the error message "unable to fork". After googling the issue a bit, it seems the recommended fix is to give the IUSR account READ and EXECUTE permissions to c:\Windows\System32\cmd.exe.

但这确实是一个主要的安全漏洞，对吗?安全吗?还有另一种方法可以执行[从php]驻留在服务器上的exe吗?

But that has got be a major security hole right? Is it safe? Is there another way to execute [from php] an exe residing on the server?

推荐答案

它需要执行cmd.exe，因为当Windows PHP看到此内容时:

It needs to execute cmd.exe because when the Windows PHP sees this:

exec("foo -bar -baz");

它称为:

cmd /c foo -bar -baz

如果您让用户输入参数，这只是一个安全漏洞.即，您不应该这样做:

It's only a security hole if you let your user enter parameters. I.E., you shouldn't do this:

// DO NOT DO THIS!
exec("foo -bar=" . $_GET['bar']);

相反，您应该使用 escapeshellarg 清理参数.

Instead, you should sanitize your parameters with escapeshellarg.

// This is okay.  (Be sure foo.exe can handle unexpected input!)
exec("foo -bar=" . escapeshellarg($_GET['bar']));

这篇关于PHP exec安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！