Is it a good practice to execute terminal commands from a Perl or PHP script?
Yes, this is bad practice in almost all cases! This is especially true if you have a choice.
Executing external commands is:
Very hard to do correctly (but very easy to get sort-of-working). You can't just escape the shell args and call it a day, you have to account for potentially multiple levels of escaping for potentially different languages.
Slow. A fork+exec to e.g.
rm
is easily a thousand times slower than the corresponding syscall.A rigid, error-prone and inexpressive integration point. You typically have to convert data to flat lists of strings and back. You can't use the language's features like exception handling, nested data structures or callbacks.
Due to this, the following are BAD reasons to call external commands:
Not knowing how to do X in your language, but knowing a shell command for it. A typical example is
cp -R foo bar
.Not knowing how something works, but knowing a shell oneliner that does it. A typical example is
foo *.mp4 > >(tee file)
.Not wanting to learn a new API for e.g. json or http, and instead using shell tools like
jq
orcurl
.
However, if you are calling a program that does non-trivial things, that doesn't have a native library or bindings, AND that you know how to invoke with execve
semantics (NOT system
nor perl exec
semantics that invoke shells), this is a valuable tool.
Examples of good uses of executing external commands that follow all the above is invoking make
to build a project from an installer, or running java -jar ...
to start a Minecraft server.
passing the '' sign to PERL from PHP
As @po_taka already mentioned you need to sanitize $_POST data, use this the PHP function escapeshellarg.
system("/usr/bin/perl script.pl ".escapeshellarg($val)." ".escapeshellarg($val2),$retval);
Perl equivalent of PHP's strtotime()?
Date::Parse supplies str2time
, which does this.
The documentation lists some examples that the module can parse:
1995:01:24T09:08:17.1823213 ISO-8601
1995-01-24T09:08:17.1823213
Wed, 16 Jun 94 07:29:35 CST Comma and day name are optional
Thu, 13 Oct 94 10:13:13 -0700
Wed, 9 Nov 1994 09:50:32 -0500 (EST) Text in ()'s will be ignored.
21 dec 17:05 Will be parsed in the current time zone
21-dec 17:05
21/dec 17:05
21/dec/93 17:05
1999 10:02:18 "GMT"
16 Nov 94 22:28:20 PST
Pass file from file() to Perl program PHP
That shell_exec() code is utterly vulnerable to shell injection - you're trusting that the remote service won't include something like:
; rm -rf /
As well, file()
returns the file contents as an array - you can't pass arrays over the command line directly. Only strings.
A moderately safer version is:
$contents = file_get_contents('http://etc....');
$safe_contents = escapeshellarg($contents);
$result = shell_exec('perl_prog.pl $safe_contents');
On the Perl side, you'd use
my ($contents) = @ARGV;
Run perl when system() is disabled
There is no way to execute them by shell; all ways to execute shell commands in PHP are disabled. (execpt interpreting perl in PHP (what makes no sense I think...; then you also can directly translate perl to php))
php exec shell command with regexp matching
A basic understanding of quoting would help...
The \
you have in your $cmd string defnitition are consumed by PHP.
escapeshallarg()
only deals with quotes, so your $t
in the xargs get passed through verbatim to the shell, so you end doing essentially the equivalent of having typed the following at the shell prompt:
$ find /project/path -name '*.php' | xargs .... 's/$t etc....'
The $t
will get expanded by the shell, and since you don't have a $t
defined in this new shell, your regexes turn into
's/('\047
^---hey, no $t value!
Try
$cmd = "find {$projectPath} -name '*.php' | blah blah s/\\$t etc...
^^--double escape
One backslash will be consumed by PHP, leaving s/\$t
in the string. When that gets pased to the shell, the \$t
will get passed in to perl as $t
and be treated as a perl variable...
Related Topics
Can You Pass by Reference While Using the Ternary Operator
Compare Two Version Strings in PHP
How to Change the Sequence of 'Joins' in Cakephp
The Ultimate Emoji Encoding Scheme
Pass Value from HTML Form to PHP Without Submitting the Form
Why Does (0 == 'Hello') Return True in PHP
Set_Error_Handler() Doesn't Work for Fatal Error
Quoting Constants in PHP: "This Is a My_Constant"
How Does PHP Index Associative Arrays
How to Put a Translation System in PHP Website
Undefined Offset When Using PHP Explode()
Parse Error: Syntax Error, Unexpected '.', Expecting ',' or ';'
PHP for ; Foreach Variable Scope
Php: How to Create Unicode Filenames
Getimagesize() Not Returning False When It Should