Topic awaiting preservation: Using Exec() etc.... $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28399" title="Pages that link to Topic awaiting preservation: Using Exec() etc...." rel="nofollow" >Topic awaiting preservation: Using Exec() etc....\$

Author	Thread
H][RO Paranoid (IV) Inmate From: Australia Insane since: Oct 2002	posted 09-06-2006 14:01 One of those days with lots of questions! Okay basically I need to use imagemagick on my server, so i need to use exec() or shell_exec() or system() so i can run the convert commands. This is ALL i need exec for. Basically, what is the safest way to do this? Is there some way to restrict it so exec can only run the convert program? Keep in mind - Although i am on shared hosting I have full access to make my own PHP.ini files and settings. I can turn safemode on/off, the whole hog. - The only user input coming into the exec script itself is image quality which I can safely handle - I'm not to worried about the exec being abused where i am using it, more if they can inject php code and use exec wherever they want (which im guessing is pretty hard). Also whats the difference between exec/shell_exec/system - i have read up and one runs a program, one runs it in a shell etc, but im not quite sure the different effects this has. If i have to leave safe mode on and only allow exec to run this is fine etc (if thats possible). I have googled it but im finding it hard to find relevant results, so any help would be great - thanks!
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 09-06-2006 15:21 All you need to do is secure the string you're passing to exec. If it's always exec ( command static file A, static File B, image quality), a simple $imageQuality = intval ($imageQuality); $imageQuality = min ( 100, max ( 0, $imageQuality ) ); should be enough. so long, ->Tyberius Prime
H][RO Paranoid (IV) Inmate From: Australia Insane since: Oct 2002	posted 09-06-2006 15:28 Great Thanks, So exec is the best one to use for this? Ill see if i can just have exec enabled rather than have the others enabled since i dont need them.

Topic awaiting preservation: Using Exec() etc....\$

Author

Thread

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted 09-06-2006 14:01

One of those days with lots of questions!

Okay basically I need to use imagemagick on my server, so i need to use exec() or shell_exec() or system() so i can run the convert commands.

This is ALL i need exec for.

Basically, what is the safest way to do this? Is there some way to restrict it so exec can only run the convert program?

Keep in mind
- Although i am on shared hosting I have full access to make my own PHP.ini files and settings. I can turn safemode on/off, the whole hog.
- The only user input coming into the exec script itself is image quality which I can safely handle
- I'm not to worried about the exec being abused where i am using it, more if they can inject php code and use exec wherever they want (which im guessing is pretty hard).

Also whats the difference between exec/shell_exec/system - i have read up and one runs a program, one runs it in a shell etc, but im not quite sure the different effects this has.

If i have to leave safe mode on and only allow exec to run this is fine etc (if thats possible).

I have googled it but im finding it hard to find relevant results, so any help would be great - thanks!

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 09-06-2006 15:21

All you need to do is secure the string you're passing to exec.

If it's always exec ( command static file A, static File B, image quality), a simple
$imageQuality = intval ($imageQuality);
$imageQuality = min ( 100, max ( 0, $imageQuality ) );

should be enough.

so long,

->Tyberius Prime

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted 09-06-2006 15:28

Great Thanks,

So exec is the best one to use for this? Ill see if i can just have exec enabled rather than have the others enabled since i dont need them.