It is possible to run an external command by three PHP functions of
system();
exec();
shell_exec();
but what are their differences? In spite of their specific applications, in most cases, the can be equally used. I am curious to know which is preferred one when they can be equally used. For example, for unzipping a file or compressing a folder (with tar command), which one is preferred (probably from performance point of view)?
UPDATE: In another question, I found a very useful link describing different aspects for these functions. I share the link here, as other may use to better understand security issues and other aspects.
exec — Execute an external program
system — Execute an external program and display the output
shell_exec — Execute command via shell and return the complete output as a string
so if you don't need the output, I would go with exec.
Further details:
http://php.net/manual/en/function.exec.php
http://php.net/manual/en/function.system.php
http://php.net/shell_exec
Related
I have a php script which should use some preset system aliases. I.e. "alias ll=ls -l"
In terminal "ll" works but from php system("ll") outputs
sh: ll: command not found
How do I exit "sh" and execute my terminal commands?
P.S.: May be I missunderstood the basic linux components shell and bash. In this case, please correct me/the post
The PHP docs aren't clear about this, but presumably PHP's system is a reflection of Standard C's system(3), which hands the argument command to the command interpreter sh(1). If you want to avoid the shell, you'll need to use another feature of PHP besides system (like explicit fork/exec). That's context, but it won't help you solve your problem.
In your case it seems you just want the aliases in an rcfile. Scripts invoked by system calls aren't going to read your rcfile unless you take extraordinary steps to make that happen, and even if you do, it's going to be non-obvious to the maintenance programmer. I'd strongly advise you to put the alias in the script or command argument itself, or simply call the command explicitly (ls -al).
You can also manually source the rcfile from your script, or call system(csh -i 'yourcommands') to force csh to be invoked as an interactive shell (which should cause your rcfile to be read). I think this is a bad idea because it is effectively forcing the shell to behave inconsistently with its environment, but I'm including it here for completeness.
Most of the above I got from a quick read through the Startup and shutdown section of the csh manual on my Mac (Mavericks). There are other potential solutions there that I haven't laid out, as well.
I'm writing a command-line application that will substitute a bunch of bash functions and manual work made by a team of developers. Currently, half of what we usually do is inside a ~/.functions file that is sourced in the ~/.bash_profile of each developer.
My command-line application is written in PHP, and for a while I would need to run some of those functions from inside my application. However, the following code would not work, the output says it cannot find the given function:
exec('bash my_legacy_functions.sh');
exec('my_custom_legacy_function param1 param2');
I may be wrong, but I could understand that every exec() call runs a command in a separate process, meaning the functions would not be available for subsequents exec() calls. Is this right, and if yes, would it be possible to override this behaviour without having to bundle everything into one call?
In the end it turns out the default shell was not bash, and on top of that source is not a common command in bash. I found by this other question's answer that the solution is something like:
function run($cmd) {
exec("bash -c 'source my_legacy_functions.sh; $cmd'");
}
Hello I have a couple questions about PHP exec() and passthru().
1)
I never used exec() in PHP but I have seen it is sometimes used with imagemagick. I am now curious, what is some other common uses where exec is good in a web application?
2)
About 6 years ago when I first started playing around with PHP I did not really know anything, just very basic stuff and I had a site that got compromised and someone setup there own PHP file that was using the passthru() function to pass a bunch of traffic throught my site to download free music or video and I got hit with a 4,000$ bandwidth charge from my host! 6 years later, I know soo much more about how to use PHP but I still don't know how this ever happened to me before. How can someone beable to add a file to my server through bad code?
1] Exec() is really useful when you:
A) Want to run a program/utility on the server that php doesn't have a command equivalent for. For example ffmpeg is common utility run via an exec call (for all sorts of media conversion).
B) Running another process - which you can block or NOT block on - that's very powerful. Sometimes you qant a pcnt_fork though, or similar, along with the correct CL args for non blocking.
C) Another example is when I have to process XSLT 2.0 - I have to exec() a small java service I have running to handle the transformations. Very handy. PHP doesn't support XSLT 2.0 transformations.
2] Damn that's a shame.
Well, lots of ways. Theres a family of vulnerability called, "remote file include vulns", that basically allow an attacker to include arbitrary source and thus execute it on your server.
Take a look at: http://lwn.net/Articles/203904/
Also, mentioned above, say your doing something like (Much simplified):
exec("someUnixUtility -f $_GET['arg1']");
Well, imagine the attacker does, url.come?arg1="blah;rm -rf /", your code will basically boil down to:
exec("someUnixUtility -f blah; rm -rf /");
Which in unix, you separate commands w/the ; So yeah - that could be a lot of damage.
Same with a file upload, imagine you strip the last four chars (.ext), to find the extension.
Well, what about something like this "exploit.php.gif", then you strip the extension, so you have exploit.php and you move it into your /users/imgs/ folder. Well, all the attacker has to do now is browse to users/imgs/exploit.php and they can run any code they want. You've been owned at that point.
Use exec or when you want to run a different program.
The documentation for passthru says:
Warning
When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.
Someone had probably found a security hole in your script which allowed them to run arbitrary commands. Use the given functions to sanitise your inputs next time. Remember, nothing sent from the client can ever be trusted.
exec() allows you to use compiled code that is on your server, which would run faster than php, which is interpreted.
So if you have a large amount of processing that needs to be done quickly, exec() could be useful.
Specifically, I need to automate the encoding of audio files into mp3 with LAME. You don't need to know LAME to answer this, I could be talking about svn or some other program..
I know how to use LAME on the command line to do this, for one file at a time.
I would like to do this via a php script however, so I can convert a bunch at once (for instance, all the files in a directory)
So what I am confused about, is how I should invoke the program, LAME. I could definitely use
shell_exec()
http://php.net/manual/en/function.shell-exec.php
But is that a "screwy" way to do it, since I am going through the shell?
Should I be using lame_enc.dll somehow instead, instead of lame.exe?
It seems like I could somehow do it with exec() also http://php.net/manual/en/function.exec.php
But in that case, how would I supply the arguments?
Or is there a better way to do it, maybe a .bat file? I am running windows
Should I be using lame_enc.dll instead of lame.exe somehow?
You can use exec() and specify arguments just like you would on the command line. Other options are outlined on the Program Execution manual page for PHP.
It's possible to do it with PHP. Not a typical use case scenario but it can be done. Since you are on Windows, a bat file would be better suited since then you don't need the PHP parser to run the script.
Put the same commands you would run in the console to convert your audio files with LAME in a *.bat. Then run the bat as if it was a regular executable file.
My question is whether or not Flex's fcsh can be called from within a PHP script. Here is the background:
I have been created a simple process that creates a simple quiz/tutorial by converting a text file into a .mxml file and compiling to a .swf file using the mxmlc compiler. This works well from the command line, but I wanted to make the process easier by creating a web-interface to do this. My initial attempts with PHP's exec() function have not worked. The Python scripts I use to create the .mxml file work fine (using exec()), but I have not been able to get the mxmlc compiler to work.
After searching on the Web and on this site, I believe that using fcsh (instead of mxmlc) may be the way to go. Using fcsh would certainly compile the .mxml file faster (after the first run), and I think that fcsh can be launched as a service that might be able to be called from PHP.
On the other hand, maybe I am approaching this the wrong way. Would it be better to write a Flex application that calls fcsh and avoid using PHP?
Edit: Using fcshctl as hasseg suggested in his answer below worked very well. Thanks Ali.
The problem with calling fcsh from within scripts is that it works as an interactive shell instead of taking command-line arguments, compiling, and returning an exit status. There are different ways to get around this, which I've listed in this blog post of mine, where I mainly talk about fcshctl (which is my own solution for this,) but at the bottom of the post I've also listed other similar solutions to get fcsh integrated into nonstandard build workflows.
There are a few other ways in php to execute an external script. They are exec(), passthru(), system(), and backticks i.e. the key to the left of the 1 key. Each one has a different purpose and return mechanism.
You may have to put the command that executes your executable into a script and call that script via one of these functions.
Is there a particular reason why you can't use mxmlc directly? It seems like it would be easier to call than fcsh. Just specify all your compiler options in a XML file run it like mxmlc -load-config path/to/config.xml. You can find an example of the XML configuration format in FLEX_HOME/frameworks/flex-config.xml.