Re: securing a script that exec()s

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 30, 2012 at 7:05 AM, David OBrien <dgobrien@xxxxxxxxx> wrote:
> Find a way to do it using PHP's imagemagick extensions
>
> http://php.net/manual/en/book.imagick.php
>
> On Fri, Mar 30, 2012 at 5:56 AM, rene7705 <rene7705@xxxxxxxxx> wrote:
>
>> Hi.
>>
>> I have a script that uses imagemagick's convert command on the commandline
>> to get it's work done.
>> These calls to exec('convert [params]') take params from the end-user via a
>> html form, so is very unsecure.
>>
>> The intention is that the end-user only runs this script on localhost, from
>> localhost.
>>
>> So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to
>> see if I can allow the script to be used.
>>
>> But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and
>> $_SERVER['SERVER_ADDR'] is my internal IP.
>>
>> How would I best fix this?
>>

I, too, would suggest you use the PHP extensions rather than shell out
a command for various reasons, security being possibly the highest.
There is also the cost of another process on the box, and doing the
translation in and out.

And David, please bottom post responses.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux