7 replies to this topic

[rhossis]

Hi, our project would like to use the pdf2swf.exe application as we plan on embedding FlexPaper into the application as a report viewer and printer. I have seen an example on Com class in the php site. I kindly ask is the PHP Com class a safer method than using exec() with regard to vulnerabilities to outside attacks? and is this the recommended way to access executables when building php applications?:confused:

[__ak]

To be honest I haven't read much about this, and idea just popped into my mind when I read your question.

But would it be possible for you to determine which command to execute through some kind of switch-case statement?

That way you would bypass the direct-user-input problem.... I think?

[Alexander]

exec family of functions will be as secure as you make them to be. I would note that calling exec on Windows based systems may have a somewhat high overhead if this is going to be called often enough, you could look in to creating a Windows service worker to convert your files at a specific interval rather than on-request with exec.

[rhossis]

Hi @ __ak. It would be possible to switch within the scripts I write, but on using such functionality it seems one would have to ensure security for the whole system. Let me know if you have any other ideas :). If you do use I am wondering if function enabling/disabling be set at runtime in PHP such that you enable the exec() and then disable it once used? :confused:
@ Alexander thanks for the link I will check out the Windows Service documentation because this functionality will expect frequent calls from users. Still waiting for your verdict exec family or com class :) ?

[Alexander]

If you wish to utilize interoperability services provided by your application then the COM class would be more secure in that you are working with a language agnostic binary interface rather than command lines, although I am unaware if your application uses that technology.

Exec with escapeshellargs should be secure if you cannot use the former option.

[rhossis]

Hi. By interoperability do you mean interacting with applications such as .NET. If so then we do not utilize that.

[Alexander]

That is what the COM class does though, COM stands for component object model and is often used in OLE/MFC/.NET applications.

[rhossis]

Hi, thanks for the clarification :) . I have worked with VBA on Excel but never had the chance to sink my teeth into getting to know what COM is. I was curious because in an example I saw they called the pdf2swf executable via wscript shell using com class. I thus think we may just try it because am sure we could be require to use COM somewhere down the line; after PDF integration in the project we have to try and provide excel and word report export