28.17 Avoid Using exec, Backticks, and system If Possible

A common mistake that many PHP programmers make is overusing external processes for tasks that can be performed using PHP's built-in native functions. For instance, exec("/bin/ls –a $dirname", $files), which uses the external /bin/ls program, can be replaced by code in Listing 28.11.

Listing 28.11 Avoiding executing an external process

<?php
    $dir = opendir($dirname);
    while($entry = readdir($dir))
    {
        $files[] = $entry;
    }
?>

Even though it's a few more lines of code, Listing 28.11 is much faster and is also much less prone to security hazards. The exec version requires you to make sure that dirname contains no malicious switches or code that may end up doing something other than you expect.

Whenever you find yourself using exec, system, or backticks, check whether there's a way to implement the same functionality using native PHP code. If it can be done with reasonable effort, always prefer the native PHP approach to external program invocation.