douhuanqiao5290 2015-01-21 15:33
浏览 136
已采纳

如果我在php中使用system()函数并且命令包含密码,那么它有多安全?

I have a php script which generates a report. The end user of this report wants it uploaded to a server where they can access it. I have an account with SFTP access to upload files to their server.

One way to do this would be to call

system("lftp -e ... -u user,password sftp://host");

I know that it is usually unsafe to provide a password on the command line, since other users can see command lines with programs like w and ps.

Since this is done from the php process, is this any different or just as unsafe?

Obviously using CURL or another library to do the SFTP connection would be safest and the "right way" to do it. This question is for my education on this particular issue, so I don't need anyone to tell me to use curl instead. The ftp example is just an example.

  • 写回答

1条回答 默认 最新

  • dougua3706 2015-01-23 02:31
    关注

    i can think of 3 potential problems:

    • visible using ps (just as from console)
    • may be (not sure if really is) stored in shell history which means, on hdd (just as from console)
    • if you keep password in your source file instead of keeping it in variable then it's also in VCS (different than from console)
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式
  • ¥30 数值计算均差系数编程
  • ¥15 redis-full-check比较 两个集群的数据出错
  • ¥15 Matlab编程问题
  • ¥15 训练的多模态特征融合模型准确度很低怎么办
  • ¥15 kylin启动报错log4j类冲突
  • ¥15 超声波模块测距控制点灯,灯的闪烁很不稳定,经过调试发现测的距离偏大
  • ¥15 import arcpy出现importing _arcgisscripting 找不到相关程序