On Thu, Feb 14, 2008 at 3:52 PM, Richard Lynch <ceo@xxxxxxxxx> wrote: > > > On Mon, February 11, 2008 9:59 am, Eric Butera wrote: > > On Feb 11, 2008 10:44 AM, Per Jessen <per@xxxxxxxxxxxx> wrote: > >> Eric Butera wrote: > >> > >> >> I like it from a coding point of view (it's neat and elegant), > >> but I > >> >> don't think it achieves anything else than my initial suggestion > >> of > >> >> using exec(gzip -c). > >> >> > >> > > >> > Except for that little thing where you shouldn't be using execs in > >> > public facing code. > >> > >> Why not? > > > > > You should never use exec & friends when there is another way around > > the problem. It is a security concern. > > The only security concern I am aware of is if you pass in user > supplied data to the exec() arg... > > And if you filter it properly, it is no more risky than anything else. > > If you don't filter properly, then you're in trouble no matter what > external lib you are using... > > > > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some indie artist. > http://cdbaby.com/from/lynch > Yeah, I get a buck. So? > > Okay so let's just take a look at how many applications across the internet have SQL vulns. Look at secunia. http://secunia.com/search/?search=sql "Found: 2625 Secunia Security Advisories, displaying 1-25" Oh crap! So let's just assume we're all idiots and we can't secure our applications. Since we can't secure our applications we need to take the next step which is damage control. At least against sql injection we can re-roll our backup and be online in a few minutes with the appropriate patch. Let us look at XSS now. http://sla.ckers.org/forum/list.php?2 Looks like there are quite a few of those too. If Google/Yahoo can't stop this stuff how are us mere mortals supposed to? With the ability to run raw executable commands, you're going to have a lot harder time fixing that situation. So yes, it is possible to run stuff safely and secure like, but not it is not easy and is very error prone. That is why I recommend to never even attempt it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
