Matthew Turland came across an interesting bug when working with the Cares Document Checker he's developing related to linting (running a syntax check) on a given PHP file.

While doing a lint check on a code block, a parse error was occurring on a line that contained a comment in the original source file. [...] Presumably what was happening was, even though the var_dump() call showed that actual newlines were being interpreted correctly, the r was also being interpreted rather than taken literally. This caused the comma following it to generate the error I was receiving.

An alternative to the method he was using, shell_exec, is proc_open, a function that opens a resource to handle a command execution and allows for more than just the "point and shoot" execution that things like shell_exec, or system.

Matthew Turland came across someone having an issue running his PHP-based IRC bot (Phergie) an an environment where the exec function wasn't allowed:

This causes a warning in the Quit plugin, which uses exec to automatically detection of the full path to the PHP CLI binary on non-Windows systems that it will later use that path to initiate a new PHP CLI process to "restart" the bot.

It check this setting for the future, it was recommended that he look at the SPL ReflectionFunction class (a part of the Standard PHP Library) that would let him check the disabled status of any PHP function (looking at the result of the isDisabled call).

New on the Developer Tutorials blog today is this look at handling background processes from your PHP script:

You've checked and double checked the integrity of user input, and you're doing some serious processing. There's only one problem: it's too slow. There's a simple solution: forking your processing script, and running the code as a background process asynchronously. It can email your user when it's done: they'll wait. In this tutorial, I'll show you how to get started with background processes in PHP.

Akash gives examples of the three keys to background processes - starting the script via an exec, talking to the process by passing additional parameters and including code to monitor the state of the background process via something like a MySQL "sessions" table that the script writes to.

On the PHP Discovery blog, there's a new post reminding PHP developers of some of the more dangerous ways that remote execution could effect your site and some of the common entry points it can have.

PHP has numerous ways to execute raw PHP code unless you the programmer stops it. Best way in preventing these methods is making sure you check the input of what your users are inputting, and making sure you escape all malicious actions that a hacker,cracker, kiddy scripter might want to do to your website.

He summarizes four of the things from the Pro PHP Security book from Apress (by Chris Snyder and Michael Southwell) that can leave holes in you application for would-be explots - preg_replace, shell_exec/exec, eval (which we all know is only one letter from "evil" anyway) and require/include.

Nessa has two posts that talk about how to use PHP to display the versions of software running on the local machine.

I've been working on this application for work that does some simple server reporting, part of which involves displaying the versions of major software running on the machines. [...] I need to be aware of this to make sure that customers are being moved to servers with compatible versions. It's also good in tracking and planning upgrades.

In the first post she recommends using the exec function in PHP to run system commands to get things like the cpanel version, python version and what perl you have installed.

Part two shows a little bit different way to get some of the same information - using the data in the /proc/version file as a single resource to get OS information.

In this new post to his blog, Ed Finkler talks about some tests he worked up to discover if a function is available in PHP or not while working on the latest version of PHPSecInfo).

is_callable() will return TRUE even if a function has been disabled in php.ini with disabled_functions (which, in my mind, is contrary to what 'śis_callable'ť implies). function_exists() will return FALSE if the function is disabled in php.ini, but will return TRUE if the function is being blocked by safe_mode.

So, to help counter these issues, he checks first to see if the exec('id') option works - checking it work function_exists and the setting for safe_mode (disabled). If it doesn't pass, he moves on to the posix_* function and tests then with a function_exists.

On the ThinkPHP blog today, there's a quick hint about dealing with larger files both with and whithout PHP.

As one man was quoted "640K of memory should be enough for anybody" no one will need to access more than 2 GB data. What happens if you - just for scientific reasons of course - try to access larger files using your 32bit hardware and your favorite programming language PHP?

They give the example of opening a large 2 gig file with PHP and the resulting error that would pop up. They try a few differnt ways before getting down to more of a non-PHP PHP solution (yes, you read that right). They decided, instead, to create a script to work with the file chunked, using an exec() call to the unix split command to break it up.