This question was migrated from Information Security Stack Exchange because it can be answered on Stack Overflow.
Migrated 10 days ago.
I have a python script on a webserver. The user data are stored in a database. The python script receives the user data as parameters, e.g.:
python3 script.py --name "Andy Wright"
In the script.py, I will write the value of the variable to a .tex file to generate a PDF file from it.
The question is if I need to escape the parameter? The python script is executed with php:
shell_exec('python3 script.py --name '.$name);
What would be the best way to secure the execution? Should I encode the variable $name (which is a user input)? If I use escapeshellcmd, I would not have the original name. Or is there a possibility to unescape it in the script?
Related
I am trying to run a program using PHP and keep sending output to it. I've tried using exec() but as the documentation page says, it hangs, waiting for the process to return.
Is there something like exec() that would allow me to keep sending commands to a CLI application?
Please note that since the application is closed-source, I don't have the option of changing the application to look for a lock file or any other thing suggested as answers to similar questions.
You are looking for the proc_open command. This command runs a process connecting its standard input and output to file descriptors opened as pipes in your program. What you write the 0 descriptor is taken as input on stdin by the process, and what it outputs can be read by your program as of from a file. The example code in the linked php documentation should get you going.
However, if you are trying to communicate with mysql specifically, rather use the built in mysql functionality of php
On a new PHP session on a linux web server, I want to start a process (specifically ghostscript) running in the background in console input mode and then repeatedly write new data to its input. This data write needs to occur every time new user data arrives via ajax. The user data is interpreted by the PHP script into postscript commands for ghostscript and then needs to be sent to gs. The gs output will be to a named file. The reason for doing this is that I need speed and want to avoid the overhead of starting gs on each new input from the user. (Once gs is running and waiting for input it takes about 40ms to process my data, but restarting gs and processing the data is taking around 250ms.) Although I can get gs to run in the background and accept input from the shell, I am having difficulty getting it to do this from a PHP script. I've been through all the variations of exec, shell_exec, popen, system, coproc, etc. that I can think of and I seem to be missing something fundamental. Thanks for any insights.
If you have appropriate access rights on the server, may start a socket and make ghostscript accept input from that socket.
E.g.
on a tty:
$ socket -sl 11555
on another tty:
$ nc 0 11555 | ghostscript
Now whatever you write to the socket, gs receives it as input. As your AJAX requests arrive to the server, you can do whatever processing you need to, and then write the resulting postscript commands to the socket from PHP.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
php exec() function and different hosts
I have a web app that when save button is clicked it makes an ajax call to save.php. I want to be able to make a command line call for a command line only php script to run from inside of the save.php file.
ex.
some code to make a db call and update db
exec('PathToPHP /path/to/file/refresh.php');
I have tried this and it does not work.
does anyone have a good solution?
thanks
If this process takes a long time and the client doesn't wait for it to finish and navigates away while this is running apache will kill the thread handling this. That I'm sure of. Haven't tested this under fastcgi mode under nginx but I'm pretty sure this will be the case too.
I am developing a CLI PHP script that can either be executed in the foreground or the background. If running in the foreground I want to be able to interact with the user getting input information. Obviously if the script is launched in the background using the '&' parameter any user interaction should be skipped...
So is there a way for a PHP script to detect that it has been launched in the background?
Its not possible to detect if its running in background. I still didn't find any way to do.
One way could be to traverse process list and check the status of /usr/bin/php
The best ways is to use a parameter (say --daemon). When this parameter is passed it'll be running in background otherwise it'll print useful information on front-end.
You can create daemon using System_Daemon pear package.
There's a Unix frequently asked question (which I found via this Stack Overflow post) that basically claims it cannot reliably be done. One suggestion the article gives is to check whether or not stdin is a terminal:
sh: if [ -t 0 ]; then ... fi
C: if(isatty(0)) { ... }
I agree with Pekka's comment that you should simply provide a parameter to the script. The -i (for interactive) option is sometimes used for this express purpose. If that parameter isn't passed, you can assume you're in "automated" mode.
This question already has an answer here:
Closed 11 years ago.
Possible Duplicate:
php in background exec() function
After a certain script runs on website I want to do a bit of processing in the background which could take a little long to run on the page request.
I heard you can do this by using the exec() method to run a PHP script.
If this is a good way to do it how do I pass a query string to PHP script with the exec() method?
EDIT:
It's not a duplicate because the post you're referring to doesn't deal with my question about query string/argument passing.
If you want to run a PHP script in the background using PHP, then you can do the following:
$command = "php -d max_execution_time=50 -f myfile.php '".$param."' >/dev/null &";
exec($command);
$param is a variable you want to pass into the file.
Since your script runs in the background and not in a terminal, try ignore_user_abort( TRUE ); execution flow continues until execution is complete, and not when the tab or window or network connection is closed.