stackoom
  简体   繁体   中英

mysqldump from php script safety

 原文  2013-12-18 17:54:40       php/ mysqldump

Question

If I do shell_exec('mysqldump DATABASE_NAME') from a php script, is there any danger?

Is there a way to get this to work in Windows?

I am going to use mysqldump for database backup from a web page

Also should I do set_time_limit(0) when running this?

1 answers

solution1
 1 ACCPTED  2013-12-18 18:47:26

Yeah, there is danger: If database name comes from an untrusted source hackers could try to inject shell commands in the database name. For example: 

$dbname = 'test; cat /etc/shadow';

might being used to obtain user names and encrypted passwords from the system (depends on the system)..

To avoid that, you should use escapeshellarg() to quote the database name (and possible other arguments): 

shell_exec('mysqldump ' . escapeshellarg($database_name));

set_time_limit() isn't required if you are following my hints here

Needless to say, that you'll have to secure the page using login.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Memory requirements for mysqldump from php script Unable to execute mysqldump from PHP script Can't do a mysqldump from a PHP Script (Big data) Running mysqldump from a PHP script doesn't work but works on SSH Running mysqldump from PHP mysqldump from inside php xml parse from mysqldump in php Mysqldump big table from Php Using PHP script: why mysqldump does not dump sql file? How to export full mysql database with php script…? Problem in using 'mysqldump'
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM