Is using shell_exec safe?

Hi,

Regarding security, Can I use shell_exec command safely in production web application ?
The command to be executed will be MYSQL shell command that's hardly coded.
Ramy MohsenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Safety probably depends on how you have coded it and who can get to it.  With all of the MySQL functions built into PHP, what would you be using it for?
Ramy MohsenAuthor Commented:
Thank you.
Safety probably depends on how you have coded it and who can get to it.
I'm hardly coding it, means i'm writing it as follows:
shell_exec(command);
Where COMMAND is the read command that I coded [not a variable and not containing and input from the user].
So is this safe?

I want to create DB, Clone DB.
Dave BaldwinFixer of ProblemsCommented:
It's probably safe.  I'm not sure it will do what you want.  How are you going to create users and privileges for your databases?  Have you tried running your command from a file?
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

Ramy MohsenAuthor Commented:
Sorry, What do you mean by running command from a file?
Dave BaldwinFixer of ProblemsCommented:
shell_exec normally uses a text variable as the command.  http://php.net/manual/en/function.shell-exec.php  That is essentially the same as running it from a file.

To create and Clone DB is not very useful if no one has privileges to use it.  Creating users and privileges is a separate operation from creating the database.

Note also that you usually have to have 'root' privileges to do any of these things.
Ramy MohsenAuthor Commented:
I'm normally able to create users and grant privileges on the new created DB using shell command.
So no problem in this point.

The main point for me is the security of using shell_exec to do this.
Ray PaseurCommented:
"Safe" is a relative term.  I can't add much to Dave's comments, except to note that shell_exec() behavior seems to be somewhat dependent on the underlying platform, so changing the OS would potentially introduce undetectable CRAP.  I've been working with multi-user PHP systems since 1999 and I've never used shell_exec() for the same reasons that I've never used exec() - there was always a pure PHP way to encapsulate the functionality I needed, and this means the software can be both testable and reusable.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.