Jump to content

Varriable in shell_exec

chadrt

By chadrt
in PHP Coding Help

 Share

Recommended Posts

chadrt Regular Member

chadrt

Posted
Posted

Here is the script...

<?php
#### CHAD'S SCRIPT TO CHANGE VOLUME FROM A WEB PAGE ON IRLP NODES ####

$channel = $_GET['c'];
$amount = $_GET['a'];

echo $channel; //These Work Great
echo $amount;  //These Work Great

### PHP's Switch function to determine the command sent to the terminal ###
switch ($channel){
	case "vol":
		shell_exec('aumix -v $amount'); // When I use the varriable does not work!
                shell_exec('aumix -S');
		break;
        case "vol2": // Test case
                shell_exec('aumix -v 15'); // When I manually specify the volume amount it works great!
                shell_exec('aumix -S');
        break;
	case "pcm":
		shell_exec('aumix -w $amount');
                shell_exec('aumix -S');
		break;
	case "speaker":
		shell_exec('aumix -p $amount');
                shell_exec('aumix -S');
		break;	
	case "line":
		shell_exec('aumix -l $amount');
                shell_exec('aumix -S');
		break;	
	case "mic":
		shell_exec('aumix -m $amount');
                shell_exec('aumix -S');
		break;
	case "pcm2":
		shell_exec('aumix -W $amount');
                shell_exec('aumix -S');
		break;
	case "igain":
		shell_exec('aumix -i $amount');
                shell_exec('aumix -S');
		break;
        default:
		echo "";
                break;
}

### READ THE CONTENTS OF AUMIX     
$volumes = shell_exec('aumix -q');



### Begin echoing the HTML to provide the controls ###
echo "<b>Current Volume Levels:</b><br>";
echo "<pre>$volumes</pre><p>";

##### End of PHP Scripting the rest is pure HTML so we can close the PHP script tags here 
?>

<br><br><form method=get>
<p><b>Change Volume Level:</b><br>
<select name="c" id="c">
<option value="">CHOOSE CHANNEL</option>
<option value="vol">vol</option>
<option value="pcm">pcm</option>
<option value="speaker">speaker</option>
<option value="line">line</option>
<option value="mic">mic</option>
<option value="cd">cd</option>
<option value="pcm2">pcm2</option>
<option value="igain">igain</option>
<option value="line1">line1</option>
</select> <br>New Value:
<input type="text" value="" size="5" maxlength="3" name="a">
<br><input type="submit" value="Submit">
</form>

That is the entire script in all its "lack of glory".  I commented the script here to show what is working and what is not.  I can echo the varriables just fine but when I try to call it from with the shell_exec then I am assuming it is providing a blank response or one that the shell cannot understand.

 

 

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Variables do not work in single-quoted strings. Use double-quoted strings or string concatenation.

 

But first your code is really, really unsafe. You may think the amount will be a certain thing (a number, I assume) but the code doesn't do anything to make sure that's the case. Someone could use

a=whatever command I want in here
and have you execute

aumix -v whatever command I want in here
If amount is supposed to be a number then make sure it's an actual number: cast it like

$amount = (int)$_GET['a'];
and then make sure it's a valid number, like amount>0 and amount
Link to comment
Share on other sites
chadrt Regular Member

chadrt

Posted
  • Author
Posted

@requinix

 

Thank you, changing the single quotes to double fixed the script!!!

 

The directory that all this is located in is only accessible by 3 people who are close friends of mine.  Secured by use of .htaccess  But I thought I would release the code to rest of the ham population so I will go ahead and impliment the other things you talked about to help secure the page a little bit better.  I was thinking about the fact that I am using $_GET and that while my page is only allowing 3 digits into the form or the select box that it could be used to inject malicious code by entering volume.php?c=<malicious code>&a=<malicious code> or someone could build their own page that POSTs the malicious code.  So I think that all the input should be striped?  As well as making sure that only integers are used in the volume

Link to comment
Share on other sites
chadrt Regular Member

chadrt

Posted
  • Author
Posted

OK so here is a small revision tell me what you think.  I had to do some digging in php manual but I think this will solve any hack like attempts...

<?php
#### CHAD'S (K0KAD) SCRIPT TO CHANGE VOLUME FROM A WEB PAGE ON IRLP NODES ####
#### Place script into the control directory so it is protected by Apache from outsiders
#### Put a link into the index.php file that will take you to this page.
#### Place a "--exclude index.php" into the custom/update-files-list file so that it wont get replaced each night
#### Make sure you have a suitable entry in your sudoers file /etc/sudoers so that user "repeater" can use save
#### aumix settings.  Else it will revert anytime the node reboots or power failure etc.



if((int)$_GET['a'] >=1 && (int)$_GET['a'] <=100) {
$amount =  (int)$_GET['a'];
}else{
$error = "<font color=red>Please enter a value between 1 and 100 only!<br></font>";
}

if((int)$_GET['c'] >=1 && (int)$_GET['c'] <=10) {
$channel =  (int)$_GET['c'];


### PHP's Switch function to determine the command sent to the terminal ###
switch ($channel){
	case "1":
		shell_exec("aumix -v $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;
	case "2":
		shell_exec("aumix -w $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;
	case "3":
		shell_exec("aumix -p $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;	
	case "4":
		shell_exec("aumix -l $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;	
	case "5":
		shell_exec("aumix -m $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;
	case "6":
		shell_exec("aumix -W $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;
	case "7":
		shell_exec("aumix -i $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;
	case "8":
		shell_exec("aumix -1 $amount");
                shell_exec('sudo aumix -S');
                $success = "<font color=blue><b>Successfully updated volume!</b></font>";
		break;
        default:
		echo "";
                break;
}
}else{
$error2 = "<font color=red>Please select an appropriate channel from the drop down list!<br></font>";
}

### READ THE CONTENTS OF AUMIX     
$volumes = shell_exec('aumix -q');


echo "<b>Current Volume Levels:</b><br>";
echo "<pre>$volumes</pre><p>";
echo $error;
echo $error2;
echo $success;

##### End of PHP Scripting the rest is pure HTML so we can close the PHP script tag here 
?>

<form method=get>
<p><b>Change Volume Level:</b><br>
<select name="c" id="c">
<option value="">CHOOSE CHANNEL</option>
<option value="1">vol</option>
<option value="2">pcm</option>
<option value="3">speaker</option>
<option value="4">line</option>
<option value="5">mic</option>
<option value="6">pcm2</option>
<option value="7">igain</option>
<option value="8">line1</option>
</select> <br>New Value:
<input type="text" value="" size="5" maxlength="3" name="a">
<br><input type="submit" value="Submit">
</form><br><p><br><a href="index.php">Return to Control Page</a>
Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

You need to make sure that you don't run the command if there was an error. Right now you set $error if a is bad, but as long as c is valid you'll execute the command.

 

The code structure I prefer for this kind of thing goes like this:

errors = array()

if a is not valid {
    add error message for a
}

if c is not valid {
    add error message for c
}

if no errors {
    do stuff
}
Link to comment
Share on other sites
chadrt Regular Member

chadrt

Posted
  • Author
Posted

That worked really well!!!  Especially given that I used your first suggestion setting it as (int) for both.  I have it running now on mine and a friends nodes and it works great!!  Thank you requinix for the help!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.