On Fri, February 15, 2008 8:54 am, Eric Butera wrote: > On Thu, Feb 14, 2008 at 3:52 PM, Richard Lynch <ceo@xxxxxxxxx> wrote: >> >> >> On Mon, February 11, 2008 9:59 am, Eric Butera wrote: >> > On Feb 11, 2008 10:44 AM, Per Jessen <per@xxxxxxxxxxxx> wrote: >> >> Eric Butera wrote: >> >> >> >> >> I like it from a coding point of view (it's neat and >> elegant), >> >> but I >> >> >> don't think it achieves anything else than my initial >> suggestion >> >> of >> >> >> using exec(gzip -c). >> >> >> >> >> > >> >> > Except for that little thing where you shouldn't be using >> execs in >> >> > public facing code. >> >> >> >> Why not? >> > >> >> > You should never use exec & friends when there is another way >> around >> > the problem. It is a security concern. >> >> The only security concern I am aware of is if you pass in user >> supplied data to the exec() arg... >> >> And if you filter it properly, it is no more risky than anything >> else. >> >> If you don't filter properly, then you're in trouble no matter what >> external lib you are using... >> >> >> >> -- >> Some people have a "gift" link here. >> Know what I want? >> I want you to buy a CD from some indie artist. >> http://cdbaby.com/from/lynch >> Yeah, I get a buck. So? >> >> > > Okay so let's just take a look at how many applications across the > internet have SQL vulns. > > Look at secunia. > > http://secunia.com/search/?search=sql > > "Found: 2625 Secunia Security Advisories, displaying 1-25" > > Oh crap! So let's just assume we're all idiots and we can't secure > our applications. Since we can't secure our applications we need to > take the next step which is damage control. At least against sql > injection we can re-roll our backup and be online in a few minutes > with the appropriate patch. > > Let us look at XSS now. http://sla.ckers.org/forum/list.php?2 Looks > like there are quite a few of those too. If Google/Yahoo can't stop > this stuff how are us mere mortals supposed to? > > With the ability to run raw executable commands, you're going to have > a lot harder time fixing that situation. So yes, it is possible to > run stuff safely and secure like, but not it is not easy and is very > error prone. That is why I recommend to never even attempt it. The existence of a few million morons who can type insecure stuff in PHP does not invalidate my statement. :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
