CHAPTER 10 ?– WORKING WITH T HE FILE A ND OPERATING SYSTEM 303
System-Level Program Execution
Truly lazy programmers know how to make the most of their entire server environment
when developing applications, which includes exploiting the functionality of the
operating system, file system, installed program base, and programming languages
whenever necessary. In this section, you??™ll learn how PHP can interact with the operating
system to call both OS-level programs and third-party installed applications.
Done properly, it adds a whole new level of functionality to your PHP programming
repertoire. Done poorly, it can be catastrophic not only to your application but also
to your server??™s data integrity. That said, before delving into this powerful feature, take a
moment to consider the topic of sanitizing user input before passing it to the shell level.
Sanitizing the Input
Neglecting to sanitize user input that may subsequently be passed to system-level functions
could allow attackers to do massive internal damage to your information store and
operating system, deface or delete Web files, and otherwise gain unrestricted access to
your server. And that??™s only the beginning.
?– Note See Chapter 21 for a discussion of secure PHP programming.
As an example of why sanitizing the input is so important, consider a real-world
scenario. Suppose that you offer an online service that generates PDFs from an input
URL.
Pages:
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377