Securely using exec with PHP to run ffmpeg

Question

I would like to run ffmpeg from PHP for video encoding purposes.

I was thinking of using the exec or passthru commands. However, I have been warned that enabling these functions is a security risk. In the words of my support staff:

The directive 'disable_functions' is used to disable any functions that allow the execution of system commands. This is for more security of the server. These PHP functions can be used to crack the server if not used properly.

I'm guessing that if exec is enabled, then someone could (possibly) execute an arbitrary unix command. Does anyone know of a secure way to run ffmpeg from PHP?

By the way, I'm on a dedicated server. Thanks ahead of time!

Answer 1

exec does not itself present a security risk any more than you logging into a secure terminal would.

Think of it this way, if you were to list the contents of a directory like so

exec( 'ls /foo/bar' );

it would not matter what your user sent to your php script, it would only ever list the directory specified.

As long as you are careful to sanitize any inputs from the user, and refrain from outputing sensitive information you should be ok.

Use the following methods to sanatize input for before running it on the command line:

• escapeshellarg() - Escape a string to be used as a shell argument
• escapeshellcmd() - Escape shell metacharacters

Answer 2

can i execute ffmpeg without de command "exec" ? thanks. rafael.

Answer 3

you can try using an ffmpeg-php library... found here: http://sourceforge.net/projects/ffmpeg-php/