chadrt Posted April 10, 2015 Share Posted April 10, 2015 Here is the script... <?php #### CHAD'S SCRIPT TO CHANGE VOLUME FROM A WEB PAGE ON IRLP NODES #### $channel = $_GET['c']; $amount = $_GET['a']; echo $channel; //These Work Great echo $amount; //These Work Great ### PHP's Switch function to determine the command sent to the terminal ### switch ($channel){ case "vol": shell_exec('aumix -v $amount'); // When I use the varriable does not work! shell_exec('aumix -S'); break; case "vol2": // Test case shell_exec('aumix -v 15'); // When I manually specify the volume amount it works great! shell_exec('aumix -S'); break; case "pcm": shell_exec('aumix -w $amount'); shell_exec('aumix -S'); break; case "speaker": shell_exec('aumix -p $amount'); shell_exec('aumix -S'); break; case "line": shell_exec('aumix -l $amount'); shell_exec('aumix -S'); break; case "mic": shell_exec('aumix -m $amount'); shell_exec('aumix -S'); break; case "pcm2": shell_exec('aumix -W $amount'); shell_exec('aumix -S'); break; case "igain": shell_exec('aumix -i $amount'); shell_exec('aumix -S'); break; default: echo ""; break; } ### READ THE CONTENTS OF AUMIX $volumes = shell_exec('aumix -q'); ### Begin echoing the HTML to provide the controls ### echo "<b>Current Volume Levels:</b><br>"; echo "<pre>$volumes</pre><p>"; ##### End of PHP Scripting the rest is pure HTML so we can close the PHP script tags here ?> <br><br><form method=get> <p><b>Change Volume Level:</b><br> <select name="c" id="c"> <option value="">CHOOSE CHANNEL</option> <option value="vol">vol</option> <option value="pcm">pcm</option> <option value="speaker">speaker</option> <option value="line">line</option> <option value="mic">mic</option> <option value="cd">cd</option> <option value="pcm2">pcm2</option> <option value="igain">igain</option> <option value="line1">line1</option> </select> <br>New Value: <input type="text" value="" size="5" maxlength="3" name="a"> <br><input type="submit" value="Submit"> </form> That is the entire script in all its "lack of glory". I commented the script here to show what is working and what is not. I can echo the varriables just fine but when I try to call it from with the shell_exec then I am assuming it is providing a blank response or one that the shell cannot understand. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 10, 2015 Share Posted April 10, 2015 Variables do not work in single-quoted strings. Use double-quoted strings or string concatenation. But first your code is really, really unsafe. You may think the amount will be a certain thing (a number, I assume) but the code doesn't do anything to make sure that's the case. Someone could use a=whatever command I want in hereand have you execute aumix -v whatever command I want in hereIf amount is supposed to be a number then make sure it's an actual number: cast it like $amount = (int)$_GET['a'];and then make sure it's a valid number, like amount>0 and amount Quote Link to comment Share on other sites More sharing options...
chadrt Posted April 10, 2015 Author Share Posted April 10, 2015 @requinix Thank you, changing the single quotes to double fixed the script!!! The directory that all this is located in is only accessible by 3 people who are close friends of mine. Secured by use of .htaccess But I thought I would release the code to rest of the ham population so I will go ahead and impliment the other things you talked about to help secure the page a little bit better. I was thinking about the fact that I am using $_GET and that while my page is only allowing 3 digits into the form or the select box that it could be used to inject malicious code by entering volume.php?c=<malicious code>&a=<malicious code> or someone could build their own page that POSTs the malicious code. So I think that all the input should be striped? As well as making sure that only integers are used in the volume Quote Link to comment Share on other sites More sharing options...
chadrt Posted April 10, 2015 Author Share Posted April 10, 2015 OK so here is a small revision tell me what you think. I had to do some digging in php manual but I think this will solve any hack like attempts... <?php #### CHAD'S (K0KAD) SCRIPT TO CHANGE VOLUME FROM A WEB PAGE ON IRLP NODES #### #### Place script into the control directory so it is protected by Apache from outsiders #### Put a link into the index.php file that will take you to this page. #### Place a "--exclude index.php" into the custom/update-files-list file so that it wont get replaced each night #### Make sure you have a suitable entry in your sudoers file /etc/sudoers so that user "repeater" can use save #### aumix settings. Else it will revert anytime the node reboots or power failure etc. if((int)$_GET['a'] >=1 && (int)$_GET['a'] <=100) { $amount = (int)$_GET['a']; }else{ $error = "<font color=red>Please enter a value between 1 and 100 only!<br></font>"; } if((int)$_GET['c'] >=1 && (int)$_GET['c'] <=10) { $channel = (int)$_GET['c']; ### PHP's Switch function to determine the command sent to the terminal ### switch ($channel){ case "1": shell_exec("aumix -v $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; case "2": shell_exec("aumix -w $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; case "3": shell_exec("aumix -p $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; case "4": shell_exec("aumix -l $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; case "5": shell_exec("aumix -m $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; case "6": shell_exec("aumix -W $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; case "7": shell_exec("aumix -i $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; case "8": shell_exec("aumix -1 $amount"); shell_exec('sudo aumix -S'); $success = "<font color=blue><b>Successfully updated volume!</b></font>"; break; default: echo ""; break; } }else{ $error2 = "<font color=red>Please select an appropriate channel from the drop down list!<br></font>"; } ### READ THE CONTENTS OF AUMIX $volumes = shell_exec('aumix -q'); echo "<b>Current Volume Levels:</b><br>"; echo "<pre>$volumes</pre><p>"; echo $error; echo $error2; echo $success; ##### End of PHP Scripting the rest is pure HTML so we can close the PHP script tag here ?> <form method=get> <p><b>Change Volume Level:</b><br> <select name="c" id="c"> <option value="">CHOOSE CHANNEL</option> <option value="1">vol</option> <option value="2">pcm</option> <option value="3">speaker</option> <option value="4">line</option> <option value="5">mic</option> <option value="6">pcm2</option> <option value="7">igain</option> <option value="8">line1</option> </select> <br>New Value: <input type="text" value="" size="5" maxlength="3" name="a"> <br><input type="submit" value="Submit"> </form><br><p><br><a href="index.php">Return to Control Page</a> Quote Link to comment Share on other sites More sharing options...
requinix Posted April 10, 2015 Share Posted April 10, 2015 You need to make sure that you don't run the command if there was an error. Right now you set $error if a is bad, but as long as c is valid you'll execute the command. The code structure I prefer for this kind of thing goes like this: errors = array() if a is not valid { add error message for a } if c is not valid { add error message for c } if no errors { do stuff } Quote Link to comment Share on other sites More sharing options...
chadrt Posted April 11, 2015 Author Share Posted April 11, 2015 That worked really well!!! Especially given that I used your first suggestion setting it as (int) for both. I have it running now on mine and a friends nodes and it works great!! Thank you requinix for the help! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.