Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Matthew Turland's Blog:
CDC Update (or an Unusual Parse Error)
Apr 09, 2009 @ 09:32:46

Matthew Turland came across an interesting bug when working with the Cares Document Checker he's developing related to linting (running a syntax check) on a given PHP file.

While doing a lint check on a code block, a parse error was occurring on a line that contained a comment in the original source file. [...] Presumably what was happening was, even though the var_dump() call showed that actual newlines were being interpreted correctly, the r was also being interpreted rather than taken literally. This caused the comma following it to generate the error I was receiving.

An alternative to the method he was using, shell_exec, is proc_open, a function that opens a resource to handle a command execution and allows for more than just the "point and shoot" execution that things like shell_exec, or system.

tagged: parse error vardump comment shellexec system exec procopen

Link:

Matthew Turland's Blog:
Environmental Awareness Quickie
Jul 28, 2008 @ 07:57:00

Matthew Turland came across someone having an issue running his PHP-based IRC bot (Phergie) an an environment where the exec function wasn't allowed:

This causes a warning in the Quit plugin, which uses exec to automatically detection of the full path to the PHP CLI binary on non-Windows systems that it will later use that path to initiate a new PHP CLI process to "restart" the bot.

It check this setting for the future, it was recommended that he look at the SPL ReflectionFunction class (a part of the Standard PHP Library) that would let him check the disabled status of any PHP function (looking at the result of the isDisabled call).

tagged: spl isdisabled reflection exec irc bot phergie exec

Link:

Matthew Turland's Blog:
Environmental Awareness Quickie
Jul 28, 2008 @ 07:57:00

Matthew Turland came across someone having an issue running his PHP-based IRC bot (Phergie) an an environment where the exec function wasn't allowed:

This causes a warning in the Quit plugin, which uses exec to automatically detection of the full path to the PHP CLI binary on non-Windows systems that it will later use that path to initiate a new PHP CLI process to "restart" the bot.

It check this setting for the future, it was recommended that he look at the SPL ReflectionFunction class (a part of the Standard PHP Library) that would let him check the disabled status of any PHP function (looking at the result of the isDisabled call).

tagged: spl isdisabled reflection exec irc bot phergie exec

Link:

Developer Tutorials Blog:
Running background processes in PHP
Jul 18, 2008 @ 11:18:21

New on the Developer Tutorials blog today is this look at handling background processes from your PHP script:

You've checked and double checked the integrity of user input, and you’re doing some serious processing. There's only one problem: it's too slow. There's a simple solution: forking your processing script, and running the code as a background process asynchronously. It can email your user when it's done: they'll wait. In this tutorial, I'll show you how to get started with background processes in PHP.

Akash gives examples of the three keys to background processes - starting the script via an exec, talking to the process by passing additional parameters and including code to monitor the state of the background process via something like a MySQL "sessions" table that the script writes to.

tagged: process background exec parameter mysql session track

Link:

PHP Discovery Blog:
Dangers of Remote Execution
Nov 21, 2007 @ 13:48:00

On the PHP Discovery blog, there's a new post reminding PHP developers of some of the more dangerous ways that remote execution could effect your site and some of the common entry points it can have.

PHP has numerous ways to execute raw PHP code unless you the programmer stops it. Best way in preventing these methods is making sure you check the input of what your users are inputting, and making sure you escape all malicious actions that a hacker,cracker, kiddy scripter might want to do to your website.

He summarizes four of the things from the Pro PHP Security book from Apress (by Chris Snyder and Michael Southwell) that can leave holes in you application for would-be explots - preg_replace, shell_exec/exec, eval (which we all know is only one letter from "evil" anyway) and require/include.

tagged: danger remote execution pregreplace include eval shellexec exec require danger remote execution pregreplace include eval shellexec exec require

Link:

PHP Discovery Blog:
Dangers of Remote Execution
Nov 21, 2007 @ 13:48:00

On the PHP Discovery blog, there's a new post reminding PHP developers of some of the more dangerous ways that remote execution could effect your site and some of the common entry points it can have.

PHP has numerous ways to execute raw PHP code unless you the programmer stops it. Best way in preventing these methods is making sure you check the input of what your users are inputting, and making sure you escape all malicious actions that a hacker,cracker, kiddy scripter might want to do to your website.

He summarizes four of the things from the Pro PHP Security book from Apress (by Chris Snyder and Michael Southwell) that can leave holes in you application for would-be explots - preg_replace, shell_exec/exec, eval (which we all know is only one letter from "evil" anyway) and require/include.

tagged: danger remote execution pregreplace include eval shellexec exec require danger remote execution pregreplace include eval shellexec exec require

Link:

Nessa's Blog:
Using PHP to Display Version Info (I and II)
Oct 19, 2007 @ 11:23:00

Nessa has two posts that talk about how to use PHP to display the versions of software running on the local machine.

I've been working on this application for work that does some simple server reporting, part of which involves displaying the versions of major software running on the machines. [...] I need to be aware of this to make sure that customers are being moved to servers with compatible versions. It's also good in tracking and planning upgrades.

In the first post she recommends using the exec function in PHP to run system commands to get things like the cpanel version, python version and what perl you have installed.

Part two shows a little bit different way to get some of the same information - using the data in the /proc/version file as a single resource to get OS information.

tagged: display version information exec proc version file display version information exec proc version file

Link:

Nessa's Blog:
Using PHP to Display Version Info (I and II)
Oct 19, 2007 @ 11:23:00

Nessa has two posts that talk about how to use PHP to display the versions of software running on the local machine.

I've been working on this application for work that does some simple server reporting, part of which involves displaying the versions of major software running on the machines. [...] I need to be aware of this to make sure that customers are being moved to servers with compatible versions. It's also good in tracking and planning upgrades.

In the first post she recommends using the exec function in PHP to run system commands to get things like the cpanel version, python version and what perl you have installed.

Part two shows a little bit different way to get some of the same information - using the data in the /proc/version file as a single resource to get OS information.

tagged: display version information exec proc version file display version information exec proc version file

Link:

EdFinkler's Blog:
Determining if a function is *really* available in PHP
Mar 29, 2007 @ 07:02:14

In this new post to his blog, Ed Finkler talks about some tests he worked up to discover if a function is available in PHP or not while working on the latest version of PHPSecInfo).

is_callable() will return TRUE even if a function has been disabled in php.ini with disabled_functions (which, in my mind, is contrary to what “is_callable” implies). function_exists() will return FALSE if the function is disabled in php.ini, but will return TRUE if the function is being blocked by safe_mode.

So, to help counter these issues, he checks first to see if the exec('id') option works - checking it work function_exists and the setting for safe_mode (disabled). If it doesn't pass, he moves on to the posix_* function and tests then with a function_exists.

tagged: function available exec posix iscallable functionexists function available exec posix iscallable functionexists

Link:

EdFinkler's Blog:
Determining if a function is *really* available in PHP
Mar 29, 2007 @ 07:02:14

In this new post to his blog, Ed Finkler talks about some tests he worked up to discover if a function is available in PHP or not while working on the latest version of PHPSecInfo).

is_callable() will return TRUE even if a function has been disabled in php.ini with disabled_functions (which, in my mind, is contrary to what “is_callable” implies). function_exists() will return FALSE if the function is disabled in php.ini, but will return TRUE if the function is being blocked by safe_mode.

So, to help counter these issues, he checks first to see if the exec('id') option works - checking it work function_exists and the setting for safe_mode (disabled). If it doesn't pass, he moves on to the posix_* function and tests then with a function_exists.

tagged: function available exec posix iscallable functionexists function available exec posix iscallable functionexists

Link: