Running Commands with system() or passthru()

Running Commands with system() or passthru()

The system() function is similar to the exec() function in that it launches an external application, and it utilizes a scalar variable for storing a return value:

 system("/path/to/somecommand", $return_val); 

The system() function differs from exec() in that it outputs information directly to the browser, without programmatic intervention. The following snippet of code uses system() to print a man page for the man command, formatted with the <pre></pre> tag pair:

 <?php echo "<pre>"; system("man man | col -b", $return_val); echo "</pre>"; ?> 

Similarly, the passthru() function follows the syntax of the system() function, but it behaves differently. When using passthru(), any output from the shell command is not buffered on its way back to you; this is suitable for running commands that produce binary data instead of simple text data. An example of this would be to use shell tools to locate an image and send it back to the browser, as seen in Listing 13.5.

Listing 13.5. Using passthru() to Output Binary Data

 1: <?php 2: if ((isset($_GET[imagename])) && (file_exists($_GET[imagename]))) { 3:    header("Content-type: image/gif"); 4:    passthru("giftopnm $_GET[imagename] | pnmscale -xscale .5 -yscale .5 | ppmtogif"); 5: } else { 6:    echo "The image $_GET[imagename] could not be found"; 7: } 8: ?> 

By the Way

The shell utilities used in this script, giftopnm, pnmscale, and ppmtogif may or may not be installed on your system. If they are not, you can probably install them from your OS distribution CD, but don't worry about it just for this example. The point is simply to use this listing to understand the concept of using the passthru() function.

Assuming this file is named getbinary.php, it would be called from HTML like:

 <img src="/books/2/868/1/html/2/getbinary.php?imagename=<?php echo urlencode("test.gif") ?>"> 

In line 2 of Listing 13.5, the user input is tested to ensure that the file in question (test.gif, according to the HTML snippet) exists. Because the script will be outputting GIF data to the browser, the appropriate header is set on line 3.

On line 4, the passthru() function consecutively executes three different commandsgiftopnm, pnmscale, and ppmtogif, which scales the image to 50% of its original height and width. The output of the passthru() functionthat is, the new image datais sent to the browser.

By the Way

In this and other system-related examples, you could have used the escapeshellcmd() or escapeshellarg() function to escape elements in the user input. Doing so ensures that the user cannot trick the system into executing arbitrary commands such as deleting important system files or resetting passwords. These functions go around the first instance of the user input, such as

 $new_input = escapeshellcmd($_GET[someinput]); 

You would then reference $new_input tHRoughout the remainder of your script, instead of $_GET[someinput]. Using these two commands, plus ensuring that your script is written so as to only perform tasks you want it to do, and not your users, is a way to keep your system secure.