New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Security Question about php exec and other similar functions
Hi everyone, noob question here, how safe is it to enable the php exec or similar functions in a hosting environment? Would you guys be kind enough to tell me whether you do or don't? If it is enabled, would it mean that processes running under a specific user can hack or root the linux box itself? What's your take on this?
Comments
Usually, it's not necessary. If you do find it to be necessary, chances are you're doing something wrong. If you're offering shared hosting, then there's really no reason to leave it enabled. If it's your own server and your own website, then you need to be extremely strict with what goes in. Ideally, no user-supplied input should ever go through exec, and if it absolutely must, filter filter filter. For example, I have a page on one of my sites that can do a traceroute or ping to a user-supplied IP address, and I use PHP FILTER_VALIDATE_IP on the input.
I'm doing something similar, with my own filtering code and escapeshellcmd.
Yes one of the reasons I asked was because I saw someone using a php script to do some exec commands and I was thinking that if it was a host node, its a bit dangerous... thanks for the replies and insights