chlzr
Posts: 2
Joined: Mon Jun 03, 2013 3:28 pm

Run Bash script in PHP

Tue Jun 04, 2013 3:17 pm

Hello!
I'm currently building a very simple server with raspberry pi, with very very little knowledge about sql, php....

When the user goes to the following url "RPi_IP"/main.php?addr=10&value=100, I want it to run a Bash script:

Code: Select all

<html><body><h1>Hello! </h1>
Logic Address <?php echo$_GET["addr"]; ?><br>
Value <?php echo$_GET["value"]; ?><br>

$old_path = getcwd();
exec('cd');
exec('./writeknx $addr $value');
chdir($old_path);
Executing the URL I always get the following output:

Logic Address 10
With Value 100
$output = exec('ls -l'); $old_path = getcwd(); $output = exec('cd'); $output = exec('./writeknx $addr $value'); chdir("$old_path");

Thank you in advance!

User avatar
rpdom
Posts: 15428
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Run Bash script in PHP

Tue Jun 04, 2013 3:37 pm

That last chunk of code isn't enclosed in "<?php ... ?>" tags.

Also, you don't need to do that for every line, just put the whole code block in it with echo or printf statements.

Code: Select all

<html><body><h1>Hello! </h1>
<?php
echo "Logic Address ${_GET["addr"]}<br>\n";
echo "Value ${_GET["value"]}<br>\n";

$old_path = getcwd();
exec('cd');
exec('./writeknx $addr $value');
chdir($old_path);
?>

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: Run Bash script in PHP

Wed Jun 05, 2013 4:32 am

Just think about what happens when I go and visit this URL:

RPi_IP"/main.php?addr=10&value=100; rm -rf /

Passing PHP variables into a shell is almost always a bad idea.

User avatar
rpdom
Posts: 15428
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Run Bash script in PHP

Wed Jun 05, 2013 5:20 am

technion wrote:Just think about what happens when I go and visit this URL:

RPi_IP"/main.php?addr=10&value=100; rm -rf /

Passing PHP variables into a shell is almost always a bad idea.
True, the values should be at least quoted, if not escaped too, and checked for validity before use.

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: Run Bash script in PHP

Wed Jun 05, 2013 9:54 am

rpdom wrote:
technion wrote:Just think about what happens when I go and visit this URL:

RPi_IP"/main.php?addr=10&value=100; rm -rf /

Passing PHP variables into a shell is almost always a bad idea.
True, the values should be at least quoted, if not escaped too, and checked for validity before use.
Nearly every major software compromise has involved an attempt at "santising" that didn't go far enough. Even if you can put together a completely safe check (must be completely an integer) it's only reinforcing a programming habit that will come up again later ("I'm sure I can sanitise this large complex string just as easily").

If the original poster can tell us what this script is supposed to do, we can probably provide a better solution.

User avatar
rpdom
Posts: 15428
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Run Bash script in PHP

Wed Jun 05, 2013 10:42 am

technion wrote:Nearly every major software compromise has involved an attempt at "santising" that didn't go far enough. Even if you can put together a completely safe check (must be completely an integer) it's only reinforcing a programming habit that will come up again later ("I'm sure I can sanitise this large complex string just as easily").
Oh, believe me, I know this so well. I wouldn't use this method myself. If I needed something done using the parameters given, I would do it within the program. The only time I use any command line options in my web-facing code is when there aren't any parameters other than those I generate myself.

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: Run Bash script in PHP

Wed Jun 05, 2013 12:07 pm

Well said!

OP, why don't you show us a copy of writeknx and we'll see if there's a better way to address this.

Return to “Networking and servers”