secure way to call unix 'wget' from php script

Forum Moderators: coopster

Message Too Old, No Replies

secure way to call unix 'wget' from php script

scorpion

11:22 pm on Jun 21, 2003 (gmt 0)

I want to call unix 'wget' to run on my server from a PHP script run over the Web. Is this
A) possible,
B) relatively secure?

My major concern of course is that I don't want any hacker to be able to run unix commands on my box. Anybody doing this sort of stuff in php scripts and you feel its relatively safe?

ggrot

12:20 am on Jun 22, 2003 (gmt 0)

Jsut make sure that you aren't running commands that include data from outside the script. For example, if you are wgetting a file with a number in the url and that number is input to the php script, you could have a problem. For example:

commandline="wget [somedomain.com...]

what if $number was input as ";rm -rf /;". That would then run the three commands:
wget [somedomain.com...]
rm -rf /
.gif

Of course, the first and last would fail, but the command line takes semicolons as command separators and would run the middle one. So, if you are depending on external input for the stuff you pass to the command line, make sure to validate it first. Otherwise, you are pretty safe.

scorpion

2:18 pm on Jun 22, 2003 (gmt 0)

so in the example, you are saying $number should be checked against all unix commands?

I guess one thing you can do is run the script locally on you server instead of over www.