I have three php scripts. One, I start with init script. The second is started by the first one itself and the second then uses shell_exec to get output from the third script by passing various params to it periodically.
But it’s not happening. When I var_dump the output of shell_exec, in the second script, I get NULL. But when I print the actual command which is used in shell_exec in the second script and try entering it into console, it works very well!
I tried the command from console of same user with which I start the init script.
This might be a permission issue. But I have the proper permissions setup i.e.
- +x for the third script
- the third script (actually all the three are) is owned by the same user and group I use the console with
Note – I tried starting the third script with shebang as well as by removing the shebang and adding php before the script path. With root everything runs fine.
Also, just another note, the first script redirects output of the second script to a log file (this is where I found the third script returning NULL on shell_exec)
UPDATE: The code from second script which uses shell_exec
$command = "/var/data/user-data.php '{$user}' '{$request['token']}' '{$request['secret']}'";
$data = json_decode( shell_exec( $command ), true );
I tried printing $command and also var_dump( shell_exec( $command ) ). The former one returns what is expected (the params) and the latter returns NULL
Without directly commenting on what the problem is –
Stop. Don’t shell out. This is a security minefield.
What happens if the user passes, say:
Answer: Your entire server is erased (or at least anything the PHP script user can touch). Naturally there are other, more insidious things people can do. And this sort of vulnerability can and will be found by automated scanners, which will in turn automatically root your server.
So don’t shell out, particularly when you’re just calling another PHP script. Put your code into a function, include the php file containing it, and call the function when you need the data.