Home > Developer > PHP

PHP Security-command injection

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Command injection using system commands is a dangerous operation, especially when you try to use remote data to construct the command to be executed. If contaminated data is used, the command injection vulnerability is generated. Exec ()...



Command injection

Using system commands is a dangerous operation, especially when you try to use remote data to construct the command to be executed. If contaminated data is used, the command injection vulnerability is generated.

Exec () is a function used to execute shell commands. It returns the last line of command output after execution, but you can specify an array as the second parameter, so that each line of output will be saved as an element in the array. The usage is as follows:


If the ls command is manually run in shell, the following output is generated:

$ ls  total 0  -rw-rw-r--  1 chris chris 0 May 21 12:34php-security  -rw-rw-r--  1 chris chris 0 May 21 12:34chris-shiflett


When running in exec () through the above example, the output result is as follows:

Array  (      [0] => total 0      [1] => -rw-rw-r--  1 chris chris 0 May 2112:34 php-security      [2] => -rw-rw-r--  1 chris chris 0 May 2112:34 chris-shiflett  )  Return [0]


This method is convenient and useful for running shell commands, but it brings significant risks to you. If contaminated data is used to construct command strings, attackers can execute arbitrary commands.

I suggest you avoid using shell commands if possible. if you want to use it, make sure to filter the data that constructs the command string and escape the output:


Although there are multiple methods to execute shell commands, you must stick to one point. when constructing a running string, only filtered and escaped data can be used. Other similar functions that need attention include passthru (), popen (), shell_exec (), and system (). I reiterate that if possible, we recommend that you avoid using all shell commands.

The above is the PHP Security-command injection content. For more information, see PHP Chinese network (www.php1.cn )!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More