drqefnd544707688 2017-03-10 10:10
浏览 62


I'm trying to make and automated installer for my platform that download lastest wordpress tar and untar directly in the member directory, then remove all the temp files.

$dir = $_GET['username'];
if ($dir != null ) {
   print 'Downloading...';
   shell_exec('wget https://wordpress.org/latest.tar.gz -P /home/ubuntu/workspace/members/' . $dir);
   print 'OK | ';
   print 'Extracting...';
   shell_exec('tar xvzf /home/ubuntu/workspace/members/' . $dir . '/lastest.tar.gz -C /home/ubuntu/workspace/members/' . $dir);
   print 'OK | ';
   print 'Moving to root...';
   shell_exec('mv /home/ubuntu/workspace/members/' . $dir . '/wordpress /home/ubuntu/workspace/members/' . $dir);
   print 'OK | ';
   print 'Directory polish...';
   shell_exec('rm /home/ubuntu/workspace/members/' .$dir . '/wordpress | rm /home/ubuntu/workspace/members' . $dir . '/lastest.tar.gz');
   print 'OK | DONE.';
} else {
   print 'Error in get member name';

This work fine, latest file where downloaded and extracted, files where moved etc.

I would like to speedup the execution of this script, i've put the sleep()to make sure commands are not executed after the previous is done but I don't know if the system is loaded so I've put much time to wait.

There is a way to exactly know when a process is complete and start next process? will I must to put all in a line using the command separator |? Or there is an easy way to make it faster?

EDIT: According to the Replies it's easy to make this working faster removing the sleep()commands, but this script is pretty unsecure, so how can I make this more secure to execute?

  • 写回答

1条回答 默认 最新

  • douyan1321 2017-03-10 10:23

    shell_exec does not return until the executing command is complete - which you can verify yourself by running

    shell_exec("sleep 3");
    echo "done";

    and seeing how long it takes.

    Meaning: you do not have to sleep at all.

    That being said: using user input directly in a system command is a huge huge security risk. any attacker could inject malicious code and completely compromise your server without lots of effort. a complete loss of data would be the least threatening scenario.

    As a baseline: never trust user input!. to make your current code more secure: verify the input - for example, check if it is only alphanumeric, if it's a valid username, if it's the name of the currently logged in user, if the folder actually exists, and so on.
    Best would be to store a sanitized path to your user directory in a database and look it up (with parameterized statements, lest you open yourself to SQL Injection instead).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?



  • ¥15 PFENet的预训练权重
  • ¥15 程序哪有错误怎么改?
  • ¥15 交换机和交换机之间的链路带宽以及主机带宽的理解
  • ¥15 ai创想家对战模式代码
  • ¥15 集合A由3个2行4列二维数组构成,从集合A中任意取一个二维数组元素、如果该二维数组元素的对应列位置的上、下两数都是奇数,而且仅有2个列是奇数/奇数,则该数组有意义,并放入集合B中打印输出。
  • ¥15 电信IPV6 无法外网访问吗
  • ¥15 有偿求效果比较好的遥感影像匹配的c++代码
  • ¥15 博主,你好,我下载了你的智能网联汽车辅助驾驶安全信息检测系统,现在不会运行,可以教我吗,
  • ¥15 怎么在excle输入下列公式
  • ¥15 Arduino,利用modbus的RS485协议,进行对外置的温湿度传感器进行数据读取