I am trying to get exec working on a Windows server and receiving the error message "unable to fork". After googling the issue a bit, it seems the recommended fix is to give the IUSR account READ and EXECUTE permissions to c:\Windows\System32\cmd.exe.
But that has got be a major security hole right? Is it safe? Is there another way to execute [from php] an exe residing on the server?
It needs to execute cmd.exe because when the Windows PHP sees this:
exec("foo -bar -baz");
It calls this:
cmd /c foo -bar -baz
It's only a security hole if you let your user enter parameters. I.E., you shouldn't do this:
// DO NOT DO THIS!
exec("foo -bar=" . $_GET['bar']);
Instead, you should sanitize your parameters with escapeshellarg.
// This is okay. (Be sure foo.exe can handle unexpected input!)
exec("foo -bar=" . escapeshellarg($_GET['bar']));
One thing you should keep in mind is that creating a process under Windows incurs more overhead than it does on Unix-class operating systems. If you have a large number of users, repeatedly calling exec() could bog down the server. If you anticipate a heavy load on your server, you may want to consider having a worker process running continually as a Windows service