I’m writing a web application in which i use several thirdy party commands calling them with the exec function in PHP (for example, I render Latex formulas through a command-line program).
My question is: what are the security issues of executing external command-line programs in php? What I have to be aware of? Can you give me a list of points to check?
EDIT: I’m aware that I have to clean the user input to prevent executing arbitrary commands… Are there any other things to check?
Thanks in advance.
Be careful to escape any incoming data that you may be putting into the command using escapeshellarg().
Using absolute paths to the executable of your choice minimizes the risk of the PHP script calling the wrong file.
Other than that, I fail to see what the fuss in some of the other answers is about – after all, you are not talking about letting users execute arbitrary commands. (Correct me if I’m wrong.) In general, executing external commands from PHP is a perfectly fine practice security-wise IMO.
You need to keep in mind that the programm you call is running with the PHP user’s rights and may not be allowed to do everything, but I assume you already know that.