Is it possible to know which PHP script is executing a certain mysql query?
I'm using a prebuilt system which has a bunch of files and I'm seeing one query I want to investigate but no idea where to start looking.
Thanks,
Try searching for non-variable parts of the query in the source files directly (e.g. using your IDE's search function, or using grep -r 'some part of the query').
If you can't find it, try tracing function calls with xdebug. This will log all PHP function calls, and it will be easy to find which file did mysql_query(the query).
(Set the ini setting xdebug.collect_params to 3 to get the parameter values in the log file.)
Related
We've got a PHP code that is currently reading a config file to get some definitions and passwords.
The PHP code is out of my control and I cannot ask for code changes.
As I need the ability to change the config dynamically, I would like to execute a binary (written in go) every time the PHP code is trying to read the config.
The workflow that I think of will be something like:
PHP ask to read the file (fopen() for example) -> an executable is running and outputting the generated config -> the PHP code is getting the output as if it was reading a static file.
I'm not much of a Linux guru and I'm having difficulties understanding if it's possible or not and if it does, how to do it.
We're using Debian 9 and running PHP 7.2
Any ideas if it's possible and how to make it work?
ADyson's comment is quite worthy of consideration. If you insist on executing a program rather than asynchronously updating the file, this can be done: Create a named pipe with mkfifo config and continuously run the program, opening, writing to and closing the config in a loop. But you'd have to ensure that no two instances of the PHP code try to read at the same time.
I was always sure that the PHP functions file_get_contents and readfile execute any PHP code in any files - regardless of file type - that are given to it. I tried this on multiple setups, and it always worked.
I received a question regarding this here, and the user seems to think that this is not the case.
I looked at the PHP documentation for the functions, and they do not mention code execution (which is something that I would expect if this is normally the case, as it has serious security implications).
I also searched for it, and found a lot of claims that the functions do not execute PHP code. For example:
readfile does not execute the code on your server so there is no issue there. source
Searching for "php file_get_contents code execution" also returns various questions trying to execute the retrieved PHP code, which seems odd if it would indeed normally execute any given PHP code.
I also found one question that asks about not execution PHP code, so execution does seem to happen to others as well.
So my questions are:
do the functions file_get_contents and readfile execute PHP code in retrieved files?
does this depend on some php.ini setting? If so, what setting(s)?
does it depend on the PHP version, and if so, what versions are affected?
if it is not normally the case, what may be the reasons that they execute the PHP code in my setups?
file_get_contents and readfile do not execute code. All they do is return the raw contents of the file. That could be text, PHP code, binary (e.g. image files), or anything else. No interpretation of the files' contents is happening at all.
The only situation in which it may appear as if execution is happening is:
<?php ?> tags will likely be hidden by the browser because it's trying to interpret them as HTML tags, so this may lead to the impression that the PHP disappeared and hence may have been executed.
You're reading from a source which executes the code, e.g. when reading from http://example.com/foo.php. In this case the functions have the same effect as visiting those URLs in a web browser: the serving web server is executing the PHP code and returning the result, but file_get_contents merely gets that result and returns it.
Those functions are described in the «Function Reference / File System Related Extensions / Filesystem» section of the manual, while function to execute code are described at «Function Reference / Process Control Extensions».
I'm pretty sure the misunderstanding comes from a somehow widespread confusion between file system and network and that's made worse by the PHP streams feature that provides protocol wrappers which allow to use the same functions to transparently open any kind of resources: local files, networks resources, compressed archives, etc. I see endless posts here where someone does something like this:
file_get_contents('http://example.com/inc/database.inc.php');
... and wonders why he cannot see this database connection. And the answer is clear: you are not loading a file, you're fetching a URL. As a result, code inside database.inc.php gets effectively executed... though rather indirectly.
i am trying to find a way to have a PHP script execute a .cpp file, and then return the results via PHP.
I will map out my methodology to avoid confusion in my question:
Certain action on webpage (Button click) -> PHP runs .cpp file -> the results of the .cpp file are returned to PHP -> returned data is used to repopulate the page .
Is this possible to do? (please do not vote down, i have looked online and could not find a solid lead to help me establish this connection)
I hope you mean to run a built executable...
The exec function will run the application similar to running it through a command line. This means that you can get the standard output of the application like you would through the command line.
How to run abc.exe using php
It's kind of kludgy, if you can, just duplicate the executables functionality in PHP.
I want to be able to discover if a Debian package has been installed on our production server, the functionality should be just like extension_loaded().
Can anyone suggest a method? I can only assume I should use exec() and parse return value for 'command not found', I'd like to know if there's a safer / better option though.
If you have permission to exec, then you could use one of the following:
whereis packagename
apt-cache policy packagename
You could write a simple API for this. It should do something like the following;
Let php write the wanted packages to a xml file, text file, or database, anything you can read with a shell app, perl app, or whatever.
On the server level, read out the file, database, check if the package exists and return the value in an output file, database table or whatever.
read out the output file with php and show it to your user
The drawback of the above proposed solution is that it takes some time, eg. you cannot check for the availability of the package in realtime. If that is actually mandatory, you could write a php script which does not take any input, but reads out the packages that should be checked from a database or a text file, where the values have been extensively tested, eg. using a regex. On this way you're sure a malicious user cannot inject shell commands.
My question is whether or not Flex's fcsh can be called from within a PHP script. Here is the background:
I have been created a simple process that creates a simple quiz/tutorial by converting a text file into a .mxml file and compiling to a .swf file using the mxmlc compiler. This works well from the command line, but I wanted to make the process easier by creating a web-interface to do this. My initial attempts with PHP's exec() function have not worked. The Python scripts I use to create the .mxml file work fine (using exec()), but I have not been able to get the mxmlc compiler to work.
After searching on the Web and on this site, I believe that using fcsh (instead of mxmlc) may be the way to go. Using fcsh would certainly compile the .mxml file faster (after the first run), and I think that fcsh can be launched as a service that might be able to be called from PHP.
On the other hand, maybe I am approaching this the wrong way. Would it be better to write a Flex application that calls fcsh and avoid using PHP?
Edit: Using fcshctl as hasseg suggested in his answer below worked very well. Thanks Ali.
The problem with calling fcsh from within scripts is that it works as an interactive shell instead of taking command-line arguments, compiling, and returning an exit status. There are different ways to get around this, which I've listed in this blog post of mine, where I mainly talk about fcshctl (which is my own solution for this,) but at the bottom of the post I've also listed other similar solutions to get fcsh integrated into nonstandard build workflows.
There are a few other ways in php to execute an external script. They are exec(), passthru(), system(), and backticks i.e. the key to the left of the 1 key. Each one has a different purpose and return mechanism.
You may have to put the command that executes your executable into a script and call that script via one of these functions.
Is there a particular reason why you can't use mxmlc directly? It seems like it would be easier to call than fcsh. Just specify all your compiler options in a XML file run it like mxmlc -load-config path/to/config.xml. You can find an example of the XML configuration format in FLEX_HOME/frameworks/flex-config.xml.