Per Jessen wrote:
Stut wrote:
Per Jessen wrote:
Eric Butera wrote:
You should never use exec & friends when there is another way around
the problem. It is a security concern.
Why is it a security concern to execute another bit of code?
I really fail to see any security concern in doing e.g.
exec('gzip -c /tmp/myinputfile')
Do that per request and it becomes a lot easier to DOS the server. Not
a 'security' risk so much as a stability risk, but a risk all the
same.
Make any PHP-based script available without usage-restriction, and
you've got yourself a DDOS potential. Using exec() doesn't change
anything.
I would argue that it makes it easier since creating and tearing down
processes is a pretty expensive operation for most OS's, but like I said
you're free to do whatever you want with your servers and clients.
Unfortunately I skipped past the start of this thread and I can't
remember what the OP was actually trying to do, but I view process
creation from a web request in the same way I view eval - it's almost
always the wrong way to get a job done.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
