安全地使用PHP exec函数

I am writing a PHP script designed to run an executable file (ffmpeg.exe) via the exec() function. The problem is that I have read that using the exec() function can be a security risk and should be avoided if possible. I have been doing some research into how to run the exec() function securely, and the only thing that I keep coming across is to filter the command string with escapeshellcmd or escapeshellarg. What I want to know is if it is possible to further increase security when using the exec() function or if there is a secure alternative to exec(). Any help would be appreciated.

Here is my code;

define('FFMPEG_LIBRARY', 'c:\\ffmpeg7\\ffmpeg\\bin\\ffmpeg ');
$transcode_string = FFMPEG_LIBRARY." -i " . $srcFile . " -acodec libmp3lame -ab 64k -ar 22050 -ac 1 -vcodec libx264 -b:v 250k -r 30 -f flv -y " . $destFile;
$transcode_string = escapeshellcmd($transcode_string);
exec($transcode_string);

$srcFile is basically the video for transcoding while $destFile is the output file I wish to create.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
donglangtun1850 2012-01-19 18:32
关注
using the exec() function can be a security risk and should be avoided if possible.

That's a bit of a generalization - it is perfectly possible to build a secure solution using exec(). But it's indeed hard: there are many pitfalls in executing external programs, especially if you are passing outside parameters to them.

The first step, as you say, is to escape everything using escapeshellarg() to prevent the injection of other, possibly harmful commands.

Then the question is what damage entering wrong values could cause in the program that is being called. For example,

running a ffmpeg operation on a 200000 x 200000 pixels large video may well cause a server hangup because the call tries to allocate an impossible amount of memory. So you have to sanitize the size values the user can enter, and exit if they are too large, or not numbers.

a malicious user could tell ffmpeg to use a configuration file and try to create a video from that, possibly resulting in the configuration file to be used as output, so you need to limit the range of file paths users can specify.

And so on and so on.

Also, you need to think about the possibility of killing the server through the mere number of requests. What if I send 50 requests a second to a PHP script that in turn calls a complex ffmpeg command? The server may easily break under the burden, and you may want to protect against that.

So: there is no inherent security problem in using exec(), but every incoming parameter that gets passed to it needs to be looked at very carefully.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

安全地使用PHP exec函数 php
2012-01-19 18:25

回答 2 已采纳 using the exec() function can be a security risk and should be avoided if possible. That's a
无法使用php exec函数执行nutch crawl命令 php
2019-04-12 12:47

回答 1 已采纳 In order to run Nutch you need the JAVA_HOME environment variable set and pointing to the proper p
我如何在PHP中获得exec函数的权限 php
2015-12-31 12:05

回答 1 已采纳 You can enable it by disabling safe_mode() in php.ini. As far as whether or not you should do thi
PHP中如何判断exec函数执行成功？
2020-10-21 19:29

在PHP日常开发中有时候会要判断exec函数是否执行成功了呢？那如何判断呢？下面跟着小编一起通过本文来学习学习。
php的exec()函数怎么调用 php
2015-07-22 02:19

回答 5 已采纳 ``` exec("C:\wamp\www\web_dev\test\my_program.exe $argument"); ^---
PHP exec（）函数 - post扩展 php
2011-11-28 09:30

回答 4 已采纳 You cannot run anything on the client machine from a PHP script running on the server. It's imposs
如何使用nginx，php-fpm和Arch Linux从exec函数sudo nginx php
2014-12-13 23:48

回答 1 已采纳 I appended 2>&1 to my command to see errors and it said "sudo: command not found". I then adde
php模拟ping命令（php exec函数的使用方法）
2020-12-19 09:05

使用php模拟我们常用的DOS命令ping命令的方法，这里主要用到的是php的内置函数exec来调用系统的ping命令,从而实现ping命令功能的。复制代码代码如下:<?php$to_ping=’www.phpernote.com’;$count=2;$psize=66;...
试图在Java中复制PHP exec（）函数 java php
2012-03-11 18:58

回答 2 已采纳 The file you mention is an autoscript file that does not do anything by itself. Like a text file.
php 通过cmd可以执行php程序，但使用exec()时报错：Could not open input file？ php
2019-07-13 18:18

回答 2 已采纳好像是转义符的问题，我把testMail.php改成index.php,就能执行成功了。![图片说明](https://img-ask.csdn.net/upload/201907/13/156301
php函数'pcntl_exec'未定义 php
2011-10-06 19:35

回答 1 已采纳 Just read the installation instructions Process Control support in PHP is not enabled by defau
PHP中exec函数和shell_exec函数的区别
2020-10-25 13:08

主要介绍了PHP中exec函数和shell_exec函数的区别,这两个函数是非常危险的函数,一般情况都是被禁用的,当然特殊情况下也会使用,需要的朋友可以参考下
在php脚本中返回shell_exec（）函数的参数 c++ php
2013-07-08 09:24

回答 3 已采纳 Perhaps simply preg_match('/[0-9]*/', $output, $matches); If I'm not mistaken... To be sure:
php中使用exec,system等函数调用系统命令的方法(不建议使用,可导致安全问题)
2020-12-18 16:36

注意:要想使用这二个函数php.ini中的安全模式必须关闭，要不然为了安全起见php是不让调用系统命令的。先看一下php手册对这二个函数的解释: exec — 执行外部程式语法 : string exec ( string comman
php+exec安全问题_安全模式下exec等函数安全隐患
2021-03-22 19:34

Lo-FiGames的博客 80vul-Bteam:http://www.80vul.comdate:2009-05-27updata:2009-6-19—————–updata—————————————昨天php5.2.10出来了,fix了PCH-006里提到的bug:Fixed bug #45997 (safe_mode bypass with exec/...
没有解决我的问题, 去提问

悬赏问题

¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
¥20 软件测试决策法疑问求解答
¥15 win11 23H2删除推荐的项目，支持注册表等
¥15 matlab 用yalmip搭建模型，cplex求解，线性化处理的方法
¥15 qt6.6.3 基于百度云的语音识别不会改
¥15 关于#目标检测#的问题：大概就是类似后台自动检测某下架商品的库存，在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
¥15 神经网络怎么把隐含层变量融合到损失函数中？
¥15 lingo18勾选global solver求解使用的算法
¥15 全部备份安卓app数据包括密码，可以复制到另一手机上运行
¥20 测距传感器数据手册i2c

安全地使用PHP exec函数

2条回答 默认 最新

悬赏问题

2条回答默认最新