Using system commands is a dangerous operation, especially if you are trying to use remote data to construct the command to be executed. If contaminated data is used, command injection vulnerabilities arise.
Exec() is a function used to execute shell commands. It returns execution and returns the last line of the command's output, but you can specify an array as the second argument so that each line of output will be stored as an element in the array. How to use:
<?php $last = exec('ls', $output, $return); print_r($output); echo "Return [$return]"; ?>
Assume that the ls command will produce the following output when run manually in the shell:
$ ls total 0 -rw-rw-r-- 1 chris chris 0 May 21 12:34 php-security -rw-rw-r-- 1 chris chris 0 May 21 12:34 chris-shiflett
When running in exec() through the method in the above example, the output result is as follows:
Array ( [0] => total 0 [1] => -rw-rw-r-- 1 chris chris 0 May 21 12:34 php-security [2] => -rw-rw-r-- 1 chris chris 0 May 21 12:34 chris-shiflett ) Return [0]
This method of running shell commands is convenient and useful, but this convenience brings you significant risks. If the contaminated data is used to construct a command string, the attacker can execute arbitrary commands.
I suggest that you avoid using shell commands if possible. If you do use them, make sure to filter the data used to construct the command string and escape the output:
<?php $clean = array(); $shell = array(); /* Filter Input ($command, $argument) */ $shell['command'] = escapeshellcmd($clean['command']); $shell['argument'] = escapeshellarg($clean['argument']); $last = exec("{$shell['command']} {$shell['argument']}", $output, $return); ?>
Although there are many ways to execute shell commands, it is important to insist that only filtered and escaped data is allowed when constructing the string to be executed. Other similar functions that need attention include passthru(), popen( ), shell_exec( ), and system( ). Again, I recommend avoiding the use of all shell commands if possible.
The above is the content of PHP security-command injection. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!