This question is tagged C, php and python. I don't know python, but C and PHP functions system
functions differ in at least one respect: the PHP function has an optional second argument.
In C (and according to the documentation, PHP does the same thing), system
runs the command by executing /bin/sh -c command
. The issue here is whether command
is completely under your control. If command
is a constant string, you are reasonably safe. However, if command
has any user provided elements, you better be very careful. Let's say you thought this was a good way to add a string $foo
to a log.
system ("echo '$foo' >> /var/log/bar");
in php is not going to be a great idea, because $foo
might contain the following (including the quotes)
'x && /bin/rm -rf / && echo '
Much better use something like exec
where you don't need to worry about quoting, separating parameters etc. (rather than pass it through /bin/sh
), and even then you need to be very careful.