Stut wrote:
> Per Jessen wrote:
>> Eric Butera wrote:
>>
>>> You should never use exec & friends when there is another way around
>>> the problem. It is a security concern.
>>
>> Why is it a security concern to execute another bit of code?
>>
>> I really fail to see any security concern in doing e.g.
>>
>> exec('gzip -c /tmp/myinputfile')
>
> Do that per request and it becomes a lot easier to DOS the server. Not
> a 'security' risk so much as a stability risk, but a risk all the
> same.
Make any PHP-based script available without usage-restriction, and
you've got yourself a DDOS potential. Using exec() doesn't change
anything.
/Per Jessen, Zürich
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
