PHP在php文件上调用exec以在后台执行
[英]PHP calling exec on a php file to execute in the background
问题描述
I want to execute a PHP file with exec , to handle a process in the background, where 1234567 is an id I wish to call from a database to get some information about what I am about to process. 
我想用exec执行一个PHP文件,以在后台处理一个进程,其中1234567是一个ID,我希望从数据库中调用该ID以获取有关我将要处理的内容的信息。
exec('/var/www/somescript.php 1234567 > /dev/null &');
Are there any potential security issues or problems I may run into? 我可能遇到任何潜在的安全问题吗?
Should I use escapeshellarg() on the parameter I am passing in? 我应该在传递的参数上使用escapeshellarg()吗?
1 个解决方案
解决方案1
0 已采纳 2014-01-27 17:47:33
I'm sure this depends on if this should be called via a web user and if the arguement or executed command is created by the user. 我确定这取决于是否应该通过网络用户调用,以及争论或执行的命令是否由用户创建。
Using escapeshellarg() in my opinion should always be called as you wouldn't use the MYSQL_ function and not escape any of the input due to risk of SQL injection. 我认为应该总是使用escapeshellarg(),因为您不会使用MYSQL_函数,并且由于存在SQL注入的风险而不会转义任何输入。 Using the exec function is a similar issue, you wouldn't use the script without escaping the input. 使用exec函数是一个类似的问题,如果不转义输入,就不会使用脚本。 However, escaping the input doesn't necissarily stop people abusing the script. 但是,转义输入并不一定会阻止人们滥用脚本。
You do need to make sure validation has been done for any arguments sent over to the script for example you don't want anyone to comment out your script and in the arguement section inject a completely different script to maybe add a user (this shouldn't be allowed to happen given propper permissions). 您确实需要确保已经验证了发送给脚本的所有参数,例如,您不想让任何人注释您的脚本,并在“争论”部分注入一个完全不同的脚本来添加用户(这不应除非获得适当的权限,否则不允许发生)。
I would use this as the last resort, if the issue can't be solved any other way rather then using an exec. 如果无法通过其他方法解决问题,则可以使用exec作为最后的手段。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.