Neglecting to sanitize user input that may subsequently be passed to system-level functions could allow attackers to do massive internal damage to your information store and operating system, deface or delete Web files, and otherwise gain unrestricted access to your server. And that's only the beginning.

He starts with a "real world" example of non-filtered data that could pass through a "rm" command and erase your entire drive. He offers two solutions for preventing this sort of hack using the escapeshellcmd and escapeshellarg functions.

So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: 107 is "G" if I could construct the "107" and add the backslash to the beginning maybe I could construct "G".

A snippet of example code is included showing his octal-based code for creating a "G" (6 lines of pluses, parentheses, equals and a few more characters). By doing some trickery with bitwise operators on strings, he was able to combine characters and make the string "GET". Pretty clever, even if it's not entirely practical.

The developers at Facebook have brought PHP developers a powerful REPL now ala-Python to round out a solid toolbox that PHP developers already have. The project is called phpsh and is written in Python.

He includes the commands you'll need to get it pulled from github and working, providing you with an interactive shell right on your local machine (more powerful than the built-in PHP shell). You can also grab a zip or gzipped archive for download. For complete details on the tool and how to use it, see phpsh.org.

Since I spend most of my days programming PHP I tend to need that a lot and a few years back I wrote a small script that would let me type php code in my browser and execute it. Nothing fancy, but quite useful. Over the years a few people got interest seeing me use it and asked for the sources, so instead of repackaging it every time, I thought I'd clean it up, polish a bit, add some features, and put it on github.

Setup is as simple as dropping the code somewhere in your local server's document root and offers a textarea for input and a expandable tree for the resulting output. It uses the Krumo tool to create this modified output. You can see a screenshot here.

A few years ago I used another blog to write about "More PHP power on the command line" almost 5 years later the PHP interactive shell got a major update which went in PHP's trunk.

You can check out the commit message for more details on this new addition including paging ability and the ability to run PHP directly in the shell.

php is an interactive php shell that solves a number of painful problems with normal php shells: error handling, readline support, autocomplete, history, require support an autoload support.

You can grab the latest version from his github repository.

Why is that a good thing or what is it generally used for? Well, probably the #1 reason to write a shell is to allow certain aspects of your application to be executed by cron (behind the scenes), rather than through human intervention or web interface. [...] The other option is, of course, to be able to automate some mundane tasks... just take a look at the power of "bake".

He's broken things up into a few different categories - a general look at what the shells are and how they can be used, some of the more handy shell methods included by default, how to load in models to get access to your data and, finally, how to call a method from one of your classes.

This post is for the techies who know me, and are switching. Some are coming from Windows, some from Linux, some are designers who need to do some local development. So, I'll try to keep this post as simple as possible, and perhaps more like a tutorial, where you can "copy and paste" commands and files.

He recommends a few pieces of software that you'll need - things like XAMPP and MySQL - and some other "nice to haves" like TextMate, Subversion and Expandrive. He shows how to set up the shell environment, create virtual hosts and add them into the /etc/hosts file so they'll resolve locally.

Everyone knows PHP can be used to create websites. But it can also be used to create desktop applications and commandline tools. And now with a class called System_Daemon, you can even create daemons using nothing but PHP. And did I mention it was easy?

He starts with a definition ("a linux program that runs in the background") and why PHP makes a good language choice for creating them. His example uses the System_Daemon PEAR class to do most of the heavy lifting. To use it, you only need to include it at the top of the script and make two calls to the setOption and start methods to have the rest of the code all set to run as a daemon.

The example code sets up a daemon complete with support for command-line arguments and the ability to be run from init.d on the local system.

I'm porting a spaghetti-PHP application over to using CakePHP I am moving their existing authorization system over to using Cake's Auth component. Of course, they are storing all their passwords in plaintext in the user account table, so I needed an easy way to convert all the existing passwords over to be encrypted using the same hash that Auth would use.

With the help of the shells and tasks that the framework makes availiable, he's able to make a simple 24 line class (EncryptPasswordShell) that extends the Shell object and loops through the data to push it back into the database in the correct password format.