PHP exec安全吗? [英] Is PHP exec safe?
问题描述
我试图让exec在Windows服务器上工作,并收到错误消息无法分叉".仔细研究了该问题之后,似乎建议的解决方法是为IUSR帐户授予对c:\ Windows \ System32 \ cmd.exe的读取和执行权限.
I am trying to get exec working on a Windows server and receiving the error message "unable to fork". After googling the issue a bit, it seems the recommended fix is to give the IUSR account READ and EXECUTE permissions to c:\Windows\System32\cmd.exe.
但这确实是一个主要的安全漏洞,对吗?安全吗?还有另一种方法可以执行[从php]驻留在服务器上的exe吗?
But that has got be a major security hole right? Is it safe? Is there another way to execute [from php] an exe residing on the server?
推荐答案
它需要执行cmd.exe,因为当Windows PHP看到此内容时:
It needs to execute cmd.exe because when the Windows PHP sees this:
exec("foo -bar -baz");
它称为:
cmd /c foo -bar -baz
如果您让用户输入参数,这只是一个安全漏洞.即,您不应该这样做:
It's only a security hole if you let your user enter parameters. I.E., you shouldn't do this:
// DO NOT DO THIS!
exec("foo -bar=" . $_GET['bar']);
相反,您应该使用 escapeshellarg 清理参数.
Instead, you should sanitize your parameters with escapeshellarg.
// This is okay. (Be sure foo.exe can handle unexpected input!)
exec("foo -bar=" . escapeshellarg($_GET['bar']));
这篇关于PHP exec安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!