4

So I want to execute a bash command from PHP on my web server. I can do this using shell_exec. However, one of the commands I want to execute is curl. I use it to send a .wav file to another server and record its response. But when invoked from PHP, curl doesn't work.

I reduced the error to the following small example. I have a script named php_script.php which contains:

<?php
$ver=shell_exec("curl -F file=@uploads/2013-7-24-17-31-43-29097-flash.wav http://otherserver");
echo $ver

The curious thing is that when I run this php script from command line using php php_script.php, the result I get is 

Status: 500 Internal Server Error
Content-type: text/html

However, if I run curl -F file=@uploads/2013-7-24-17-31-43-29097-flash.wav http://otherserver directly, I get the response I was expecting:

verdict = authentic

(Edit:) I should probably mention that if I put some bash code inside the shell_exec argument which does not contain curl, the bash command executes fine. For example, changing the line to $ver = shell_exec("echo hello > world"); puts the word "hello" into the file "world" (provided it exists and is writable). (End edit.)

Something is blocking the execution of curl when it is invoked from PHP. I thought this might be PHP's running in safe mode, but I found no indication of this in php.ini. (Is there a way to test this to make 100% sure?) What's blocking curl and, more importantly, how can I bypass or disable this block?

(And yes, I realize PHP has a curl library. However, I prefer to use commands I can run from the command line as well, for debugging purposes.)

cheers, Alan

Alan
  • 929
  • 6
  • 10
  • 1
    What do you get if you add `-v` to the curl command? – Craig Jul 24 '13 at 16:50
  • When I add `-v` to the curl command, the output from the PHP invokation does not change. The output from the direct cli invokation is more verbose, ie. connection data and headers are shown. But I'm not sure that's all that interesting as the direct cli invokation is the one that produces the correct output ;) – Alan Jul 24 '13 at 17:21
  • Have you tried the full path to curl? /usr/bin/curl or whatever is correct for your platform. – Craig Jul 24 '13 at 17:54
  • I have now. Same problem. – Alan Jul 24 '13 at 18:01
  • What is the output of `php --version` and check the output of `php -i` to see how php is configured. The "status: 500..." output makes me think you are running php in cgi mode and an error is occurring. – Craig Jul 24 '13 at 19:22
  • 1
    Stupid question -- do you have a `;` at the end of the echo $var line? – Craig Jul 24 '13 at 19:27
  • Oh my god. That was actually the error. It works now. Thanks! – Alan Jul 24 '13 at 19:35

1 Answers1

0

The reason is the administrative privileges when you run the command directly you are running it as root and thus the command gets executed. But, when you run the command through PHP it runs as an user. By, default user has not the privileges to run the shell_exec commands.

You have to change the settings of shell_exec through CPanel/Apache config file. But, it is not recommended to provide the shell_exec access to the user as it help hackers to attack on server and thus, proper care should be taken.

It would be more appropriate to use the curl library provided in PHP.

Vineet1982
  • 7,730
  • 4
  • 32
  • 67
  • I tried changing the script to this: ` world");` not only does this script execute fine when invoked using the same php command (`php php_script.php`), it also puts my username (not another user's) in the file `world`. Am I wrong to conclude that 1) `shell_exec` is working, and 2) I am not root? – Alan Jul 24 '13 at 17:29
  • Kindly confirm the output of – Vineet1982 Jul 24 '13 at 17:52
  • The output for the direct invokation is: `ping: unknown host count`. The output for the PHP invokation is the same but with the extra line `Content-type: text/html` – Alan Jul 24 '13 at 17:59
  • And in case your command contained an error, or just for completeness' sake, running `ping google.com` gets me the error `ping: icmp open socket: Operation not permitted`. – Alan Jul 24 '13 at 18:00
  • I use cygwin may be that is the reason but that proves that you have not shell_exe privileges – Vineet1982 Jul 24 '13 at 18:01
  • I'm confused. My conclusion is that this observation fails to prove this hypothesis because the output from the direct cli invokation does not substantially differ from the PHP invokation. Why is this conclusion wrong? – Alan Jul 24 '13 at 18:04