0

I was wondering if it is safe to have exec() enabled on my server. I would like to use it to execute a ping command inside a script to check to see if my servers are running. The ip's that are being passed into the exec() function are all hard coded into an array so it should be safe to run.

My worry is exec() could be injected somewhere else on my site via a self referencing form or into the database. Is this possible?

slick1537
  • 745
  • 2
  • 8
  • 19

2 Answers2

1

As long as you are the only one with access to the server, it is secure. The problem however occurs when somebody manages to get access to your server. This can be for several reasons, like stupid mistakes in coding, unknowningly creating holes, you lose your password, etc.

If you have exec enabled and somebody does manage to gain access, he can do almost anything with your server. Thats why its disabled in most environments. And i advise you to keep it that way.

If ping is what you want to do, check out how-to-ping-a-server-with-php

Community
  • 1
  • 1
Hugo Delsing
  • 13,803
  • 5
  • 45
  • 72
  • Thanks for the advice, I am going to disable it. Was having trouble with the code from that other thread, but I guess I will have to look into a bit more to figure out why it's not working properly for me. – slick1537 May 08 '13 at 10:45
0

Yes. You'll definitely want to disable exec. This is more a debug function than something actually needed in scripts.

If you really need it, you can limit its capabilities, but I would discourage this approach.

Use this to ping a server from PHP.

Community
  • 1
  • 1
Stefano Sanfilippo
  • 32,265
  • 7
  • 79
  • 80