thanks all of you for patiently answering my question "About exec() function in PHP: About exec() function in PHP", it has given me an idea of how this works and so. Lots of them pointed the syntax error, my pardon forgot to include the quotes.
Actually I have got a requirement in normal conditions the customer has the .exe file which he needs to normally run from command prompt, where he needs to include the path for the license and config files manually, so that application is valid for installation.
Now he wants a php script where he will enter the web page with his valid login details and with the click of link he should be able to run the .exe file to install the software on his machine. Including the license and config file is my job which I have been working on, on the other hand I am still not clear that this is really possible to run the .exe file on the clients machine when the script runs on the php remote server. What can be the other alternatives to accomplish this. Can anyone clear my doubts?
You cannot run anything on the client machine from a PHP script running on the server. It's impossible. What you can do is create an archive (e.g. ZIP) that contains the executable file, the license file and the configuration. Then you can offer this archive to the user as download. After extracting the archive on his machine he then would be able to execute the application.
Other possibilities to execute something on the client machine would be a Java applet or a Flash application. Those are subject to a lot of security restrictions though.
Alternative:
1.Save settings to file
2.Compact programm to archive with setting file && license
3.Download archive
PHP is on the server, the server generates HTML/JS/CSS. The PHP process ends before the web page is displayed to the user.
There's no way, and a VERY VERY good reason why this can not or will never be able to be done.
And why would you want to run an .exe file on someone's computer other than malicious reasons?
You're on the Web, sell subscription, what licensing are you talking about?
There is no way to actually execute a program on the client machine directly from PHP. The best you can hope to achieve is to provide a download for the executable file and then the client can execute it manually. You could provide an archive file with the installation executable and config/license file(s), but the client would still have to execute the file manually.
You could potentially use client-side technologies such as Flash, Java or ActiveX to accomplish this, but this is not a simple task and requires fairly intimate knowledge of the languages on which these technologies are based.
If the file was an MSI, it would be theoretically possible to allow the server to remotely install it on the client machine, however there are some barriers to this:
You need a fully fledged Windows domain for this, and both the server and client machines would have to be members of that domain. There is no way around this.
You would most likely need to know the NetBIOS name of the client machine, and there is AFAIK no 100% reliable way to determine this from PHP.
Your PHP instance would need to be running under an account that has administrative privileges in the domain. This is unlikely to be the case at the moment, and it is not a very good idea to run like this anyway.
Related
I develop some python applications so I know how to do this in python locally, but am working with some PHP developers (I know nothing of PHP) who say this can't be done in PHP. This is the idea: A php driven remote website which creates / hosts files. Using a web browser I want to download from this website a series of folders and files onto the local machine overwriting already existing files/folders with the same name. So in my browser I click on a download button which asks me to browse to a local or network folder to download the folders and files to. Currently we are just downloading a single .zip file containing all these files and folders which we have to unzip and manually move, copy paste, etc, very messy and cumbersome. There must be a better way with PHP and some other language?
No, it's not possible to access from a PHP (server-side language) to the Client Machine (from a Browser) and manipulate directly his file system, hard drive, or something like that. This is not the way it works.
Just think about it for a moment, if it could be accomplish, we have serious security threat, for example we visit a page like somebadassdude.com and they have a PHP script that create unlimited folders and files to fill up all our HD... and that is soft.
But hopefully the browsers dont allow this by security design.
Look at this:
As you can see at the Diagram, the Browser and the Server response each other through HTTP Requests & Responses. There's no a communication between them like a local program running at the Client OS. You treat with his Browser, and there's no way to command the Browser to manipulate the client hard-disk, and if that can happend, look at the security consern that I mentioned before.
To be more clearer, your PHP script is running at your server, not at the client machine. It only response when a user/browser request a specific resource at your server, and response with a HTTP Response, and it can contain HTML, or Json, or a File (to be downloaded or visualized by external program), or whatever.
You have limited options:
If it is something for a Intranet, or
local network, and you have access to that network, locally or
remotely like with a VPN access. You could share a folder over
network, in that way you can use a Php Script or Python script in
order to create the folders and copy the files to it, without have to
download a zip, and unzip manually from the Browser.
Using a Java Applet. Why? Because a Java Applet runs
on the Client Side, so you have access to his computer (if the user
allow it), and you certeinly can manipulate (create, delete, read,
etc. folders and files) his hard-drive. So when the user choose the files to download,
you fire the Java Applet, and let em request to the server the files
that the user has marked. When you have the files downloaded, create
or overwrite the files on the client machine.
Create and run a program in the Client Machine, in detriment of a Web Page, by this way you gain the needed flexibility. But of course, it have his own complexities.
So IHMO i think the Java Applet maybe is the best suited solution for you:
Do not have to change much your actual business model
It doesn't require a large time investment.
It is cross-platform, Java can work on a plenty of operating systems, and Java Applets in the most popular browsers.
By the way, I personally dislike Java, but it's a tool, and you have to use the right tool for a job.
Cheers.
I have developed an C++ application which reads from 2 input files.
The app analyzes the files, and in response creates a new file with new information.
All of the above works on my machine, but recently the project's managers added a request to make a Web GUI.
The users should be able to load the 2 files from their local machine to the folder and than the server will run the EXE file that will put a new output file in the folder.
When the EXE is done running, the output file will be represented to the user in the client side.
I am in charge of the application, so we hired a company to make the web side.
The EXE file is located on the server with the web site files.
The company wrote it in PHP, and when a user wants to get the output file, they run the EXE file with the function "exec".
In response they get an error that this function isn't available because of security issues.
From what I understand, all that needs to be done, is to enable the function from php.ini,
but the company told me that the problem is with my application.
I'm writing this question, because I'm not sure how this should be done, and I wanted to know what is the right way to go, in order to answer the project requirements.
Maybe a web service, written in C++ that will replace my EXE file?(tell me if i'm completely wrong :))
Thanks a lot, Ben.
So far my search has shown the potential security holes that will be made while trying to perform a sudo'd command from within PHP.
My current problem is that I need to run a bash script as sudo on my work web server via PHP's exec() function. We currently host a little less than 200 websites. The website that will be doing this is restricted to only be accessible from my office's IP address. Will this remove any potential security issues that come with any of the available solutions?
One of the ways is to add the apache user to the sudoers file, I assume this will apply to the entire server so will still pose an issue on all other websites.
Is there any solution that will not pose a security threat when used on a website that has access restricted to our office?
Thanks in advance.
Edit: A brief background
Here's a brief description of exactly what I'm trying to achieve. The company I work for develops websites for tourism related businesses, amongst other things. At the moment when creating a new website I would need to setup a hosting package which includes: creating the directory structure for the new site, creating an apache config file which is included into httpd.conf, adding a new FTP user, creating a new database for use with the website CMS to name a few.
At the moment I have a bash script on the server which creates the directory structure, adds user, creates apache config file and gracefully restarts apache. That's just one part, what I'm looking to do is use this shell script in a PHP script to automate the entire website generation process in an easy to use way, for other colleagues and just general efficiency.
You have at least 4 options:
Add the apache user to the sudoers file (and restrict it to run the one command!)
In this case some security hole in your php-apps may run the script too (if they can include the calling php for example - or even bypass the restriction to your ip by using another url that also calls the script, mod_rewrite)
Flag the script with the s bit
Dangerous, don't do it.
Run another web server that only binds to a local interface and is not accessible from outside
This is my prefered solution, since the link calling the php is accessible by links from your main webserver and the security can be handled seperately. You can even create a new user for this server. Some simple server does the job, there are server modules for python and perl for example. It is not even necessary, that you enable exec in your php installation at all!
Run a daemon (inotify for example, to watch file events) or cronjob that reads some file or db-entry and then runs the command
This may be too complex and has the disadvantage, that the daemon can not check which script has generated the entry.
I'm trying to figure out if there's a way in PHP to open a file on a user's desktop (i.e., the user select a file from a file list shown on a PHP page, and then the file opens with the appropriate program on the user's desktop as if the user had double-clicked it in the GUI.) After searching for a while, I discovered that this is possible via some convoluted-looking code using the COM object in PHP, but that's only going to work for Windows users and I'm trying to keep this platform agnostic.
Has anyone else ever tried to do this and succeeded?
You can't execute an application on the user's machine without either a lengthy "user consent" process, or the user voluntarily (and, ideally, knowingly) installing some software component.
I think the cleanest way might be to use a (signed!) Java applet.
Otherwise you could try and make the user register a specific protocol, with a suitable protocol handler, that you would let download and install on the user's system to intercept a link such as exec://format%20C%2C ;-)
Unfortunately, the file:// protocol is (understandably) restricted. For example, in Firefox it will work (somewhat) if you insert manually "C:\" in the address bar and navigate. If you click on those links they will (somewhat) work. Copy the same links in a document in a different security context (e.g. Internet) and lo and behold, it won't work.
Another possibility would be to backdoor all the intranet clients with, um, REXECd (available on most platforms) or some clone. Then when the user clicks, you send the command from PHP to the user's workstation. Since nowadays PC's are multiuser platforms, you'll need some quick legwork to determine how to do the deed. E.g. on a Linux box you'd have to run a X application with the appropriate ownership and DISPLAY value.
You could also "recognize" the user's platform and let the user download an appropriate batch file, either .sh or .bat or .cmd; but they would need a click to download, one to approve, one to open the executable.
You can't run files on client. It's a big security hole and browser will not allow you do that.
On windows you can use ActiveX, but client must allow installing ActiveX component, and you will have many problems with it.
I'm playing with an embedded Linux device and looking for a way to get my application code to communicate with a web interface. I need to show some status information from the application on the devices web interface and also would like to have a way to inform the application of any user actions like uploaded files etc. PHP-seems to be a good way to make the interface, but the communication part is harder. I have found the following options, but not sure which would be the easiest and most convenient to use.
Sockets. Have to enable sockets for the PHP first to try this. Don't know if enabling will take much more space.
Database. Seems like an overkill solution.
Shared file. Seems like a lot of work.
Named pipes. Tried this with some success, but not sure if there will be problems with for example on simultaneous page loads. Maybe sockets are easier?
What would be the best way to go? Is there something I'm totally missing? How is this done in those numerous commercial Linux based network switches?
I recently did something very similar using sockets, and it worked really well. I had a Java application that communicates with the device, which listened on a server socket, and the PHP application was the client.
So in your case, the PHP client would initialize the connection, and then the server can reply with the status of the device.
There's plenty of tutorials on how to do client/server socket communication with most languages, so it shouldn't take too long to figure out.
What kind of device is it?
If you work with something like a shared file, how will the device be updated?
How will named pipes run into concurrency problems that sockets will avoid?
In terms of communication from the device to PHP, a file seems perfect. PHP can use something basic like file_get_contents(), the device can just write to the file. If you're worried about the moment in time the file is updated to a quick length check.
In terms of PHP informing the device of what to do, I'm also leaning towards files. Have the device watch a directory, and have the script create a file there with something like file_put_contents($path . uniqid(), $command); That way should two scripts run at the exact sime time, you simply have two files for the device to work with.
Embedded linux boxes for routing with web interface don't use PHP. They use CGI and have shell scripts deliver the web page.
For getting information from the application to the web interface, the Shared file option seems most reasonable to me. The application can just write information into the file which is read by PHP.
The other way round it looks not so good at first. PHP supports locking of files, but it most probably doesn't work on a system level. Perhaps one solution is that in fact every PHP script which has information for the application creates it own file (with a unique id filename, e.g. based on timestamp + random value). The application could watch a designated directory for these files to pop-up. After processing them, it could just delete them. For that, the application only needs write permission on the directory (so file ownership is not an issue).
If possible, use shell scripts.
I did something similar, i wrote a video surveillance application. The video part is handled by motion (a great FOSS package). The application is a turn-key solution on standardized hardware, used to monitor slot-machine casinos. It serves as a kiosk system locally and is accessible via internet. I wrote all UI code in PHP, the local display is a tightly locked down KDE desktop with a full screen browser defaulting to localhost. I used shell scripts to interact with motion and the OS.
On a second thought:
If you can use self-compiled applications on the device: Write a simple program that returns the value you want and use PHP's exec() or passthru() or system().