In PHP, How to Detect the Execution Is from Cli Mode or Through Browser

In PHP, how to detect the execution is from CLI mode or through browser ?

Use the php_sapi_name() function.

if (php_sapi_name() == "cli") {
    // In cli-mode
} else {
    // Not in cli-mode
}

Here are some relevant notes from the docs:

php_sapi_name — Returns the type of interface between web server and PHP

Although not exhaustive, the possible return values include aolserver, apache, apache2filter, apache2handler, caudium, cgi (until PHP 5.3), cgi-fcgi, cli, cli-server, continuity, embed, isapi, litespeed, milter, nsapi, phttpd, pi3web, roxen, thttpd, tux, and webjames.

PHP - how to best determine if the current invocation is from CLI or web server?

php_sapi_name is the function you will want to use as it returns a lowercase string of the interface type. In addition, there is the PHP constant PHP_SAPI.

Documentation can be found here: http://php.net/php_sapi_name

For example, to determine if PHP is being run from the CLI, you could use this function:

function isCommandLineInterface()
{
    return (php_sapi_name() === 'cli');
}

What is the canonical way to determine commandline vs. http execution of a PHP script?

Use the php_sapi_name() function.

if (php_sapi_name() == "cli") {
    // In cli-mode
} else {
    // Not in cli-mode
}

Here are some relevant notes from the docs:

php_sapi_name — Returns the type of interface between web server and PHP

Although not exhaustive, the possible return values include aolserver, apache, apache2filter, apache2handler, caudium, cgi (until PHP 5.3), cgi-fcgi, cli, cli-server, continuity, embed, isapi, litespeed, milter, nsapi, phttpd, pi3web, roxen, thttpd, tux, and webjames.

In PHP >= 4.2.0, there is also a predefined constant, PHP_SAPI, that has the same value as php_sapi_name().

How to check with PHP if the script is being run from the console or browser request?

Use php_sapi_name()

Returns a lowercase string that
describes the type of interface (the
Server API, SAPI) that PHP is using.
For example, in CLI PHP this string
will be "cli" whereas with Apache it
may have several different values
depending on the exact SAPI used.

For example:

$isCLI = (php_sapi_name() == 'cli');

You can also use the constant PHP_SAPI

Detecting the environment in PHP CLI scripts

You can use php_uname('n') to get the hostname of your current machine. From there it's up to your implementation to determine whether it's production, staging, or development, either based on patterns in host name, hard-coded values, or some other configuration file.

How to check if PHP script is running by shell

Use the php_sapi_name function:

if(php_sapi_name() == 'cli')
{
    // running from CLI
}

From the Manual:

Returns a lowercase string that describes the type of interface (the Server API, SAPI) that PHP is using. For example, in CLI PHP this string will be "cli" whereas with Apache it may have several different values depending on the exact SAPI used. Possible values are listed below.

Emulating PHP's CLI in a browser

Call this function trough a RPC or a direct POST from javascript, which does things in this order:

• Write the PHP code to a file (with a random name) in a folder (with a random name), where it will sit alone, execute, and then be deleted at the end of execution.
• The current PHP process will not run the code in that file. Instead it has to have exec permissions (safe_mode off). exec('php -c /path/to/security_tight/php.ini') (see php -?)
• Catch any ouput and send it back to the browser. You are protected from any weird errors. Instead of exec I recomment popen so you can kill the process and manually control the timeout of waiting for it to finish (in case you kill that process, you can easily send back an error to the browser);

You need lax/normal security (same as the entire IDE backend) for the normal PHP process which runs when called through the browser.

You need strict and paranoid security for the php.ini and php process which runs the temporary script (go ahead and even separate it on another machine which has no network/internet access and has its state reverted to factory every hour just to be sure).

Don't use eval(), it is not suitable for this scenario. An attacker can jump out into your application and use your current permissions and variables state against you.

---

Related Topics