mysqldump from php script safety

Question

If I do shell_exec('mysqldump DATABASE_NAME') from a php script, is there any danger?

Is there a way to get this to work in Windows?

I am going to use mysqldump for database backup from a web page

Also should I do set_time_limit(0) when running this?

Answer 1

Yeah, there is danger: If database name comes from an untrusted source hackers could try to inject shell commands in the database name. For example:

$dbname = 'test; cat /etc/shadow';

might being used to obtain user names and encrypted passwords from the system (depends on the system)..

To avoid that, you should use escapeshellarg() to quote the database name (and possible other arguments):

shell_exec('mysqldump ' . escapeshellarg($database_name));

---

set_time_limit() isn't required if you are following my hints here

---

Needless to say, that you'll have to secure the page using login.