Page 1 of 1

Run Bash script in PHP

Posted: Tue Jun 04, 2013 3:17 pm
by chlzr
Hello!
I'm currently building a very simple server with raspberry pi, with very very little knowledge about sql, php....

When the user goes to the following url "RPi_IP"/main.php?addr=10&value=100, I want it to run a Bash script:

Code: Select all

<html><body><h1>Hello! </h1>
Logic Address <?php echo$_GET["addr"]; ?><br>
Value <?php echo$_GET["value"]; ?><br>

$old_path = getcwd();
exec('cd');
exec('./writeknx $addr $value');
chdir($old_path);
Executing the URL I always get the following output:

Logic Address 10
With Value 100
$output = exec('ls -l'); $old_path = getcwd(); $output = exec('cd'); $output = exec('./writeknx $addr $value'); chdir("$old_path");

Thank you in advance!

Re: Run Bash script in PHP

Posted: Tue Jun 04, 2013 3:37 pm
by rpdom
That last chunk of code isn't enclosed in "<?php ... ?>" tags.

Also, you don't need to do that for every line, just put the whole code block in it with echo or printf statements.

Code: Select all

<html><body><h1>Hello! </h1>
<?php
echo "Logic Address ${_GET["addr"]}<br>\n";
echo "Value ${_GET["value"]}<br>\n";

$old_path = getcwd();
exec('cd');
exec('./writeknx $addr $value');
chdir($old_path);
?>

Re: Run Bash script in PHP

Posted: Wed Jun 05, 2013 4:32 am
by technion
Just think about what happens when I go and visit this URL:

RPi_IP"/main.php?addr=10&value=100; rm -rf /

Passing PHP variables into a shell is almost always a bad idea.

Re: Run Bash script in PHP

Posted: Wed Jun 05, 2013 5:20 am
by rpdom
technion wrote:Just think about what happens when I go and visit this URL:

RPi_IP"/main.php?addr=10&value=100; rm -rf /

Passing PHP variables into a shell is almost always a bad idea.
True, the values should be at least quoted, if not escaped too, and checked for validity before use.

Re: Run Bash script in PHP

Posted: Wed Jun 05, 2013 9:54 am
by technion
rpdom wrote:
technion wrote:Just think about what happens when I go and visit this URL:

RPi_IP"/main.php?addr=10&value=100; rm -rf /

Passing PHP variables into a shell is almost always a bad idea.
True, the values should be at least quoted, if not escaped too, and checked for validity before use.
Nearly every major software compromise has involved an attempt at "santising" that didn't go far enough. Even if you can put together a completely safe check (must be completely an integer) it's only reinforcing a programming habit that will come up again later ("I'm sure I can sanitise this large complex string just as easily").

If the original poster can tell us what this script is supposed to do, we can probably provide a better solution.

Re: Run Bash script in PHP

Posted: Wed Jun 05, 2013 10:42 am
by rpdom
technion wrote:Nearly every major software compromise has involved an attempt at "santising" that didn't go far enough. Even if you can put together a completely safe check (must be completely an integer) it's only reinforcing a programming habit that will come up again later ("I'm sure I can sanitise this large complex string just as easily").
Oh, believe me, I know this so well. I wouldn't use this method myself. If I needed something done using the parameters given, I would do it within the program. The only time I use any command line options in my web-facing code is when there aren't any parameters other than those I generate myself.

Re: Run Bash script in PHP

Posted: Wed Jun 05, 2013 12:07 pm
by technion
Well said!

OP, why don't you show us a copy of writeknx and we'll see if there's a better way to address this.