Why is it told that, usage of system function in a production code is not advisable? How is this different from using exec family of functions?
Clarification: I have read it in many places that, it is unwise to use system function, when we are doing something at a commercial level. But It never occurred to me as what might be the problem, and how using exec family is considered better than system .As far as I am concerned, my concerns are clarified
This question is tagged C, php and python. I don't know python, but C and PHP functions system functions differ in at least one respect: the PHP function has an optional second argument.
In C (and according to the documentation, PHP does the same thing), system runs the command by executing /bin/sh -c command. The issue here is whether command is completely under your control. If command is a constant string, you are reasonably safe. However, if command has any user provided elements, you better be very careful. Let's say you thought this was a good way to add a string $foo to a log.
system ("echo '$foo' >> /var/log/bar");
in php is not going to be a great idea, because $foo might contain the following (including the quotes)
'x && /bin/rm -rf / && echo '
Much better use something like exec where you don't need to worry about quoting, separating parameters etc. (rather than pass it through /bin/sh), and even then you need to be very careful.