Passing from data to PHP to capture variables and run an exe

[lynns]

I have an HTML form where I am capturing the data, then passing it to a PHP file. Within the PHP file I want to grab specific variables and pass them to an executable. I am getting back all the lines I'm asking to ECHO before the executable and after it. However, the executable is not running. I can run the executable from the command line, but it will not process from the PHP script. I am running on Windows Server 2012 with IIS 8. Am I missing a setting in PHP or withing IIS to allow the executable to run or ???

 

Here is the sample PHP script. 

 

<?php

 

echo  "<h1>Thank you, your username is - " .$_POST ["Email"] . "</h1>";  /* this is working fine */

 

$user=$_POST["Email];

$company=$POST["CompanyName"];

$company=str_replace('','.',$company);

echo $company;

echo $user:     /* this section is working fine */

 

echo "Registration Starting.\n";  /* working fine */

exec("Sample.exe -b https://website.com/restapi/api/xxxx -u name@company.com -p PASSWORD --name $Email --access 1 --affiliate $CompanyName");   /* not working */

echo "Registration Complete.\n";  /* working fine */

 

?>

 

 

 

[ginerjm]

Have you read the manual on how this command is used? It appears that you can get results from the call, but you are not trying to get them.

[Barand]

Your exec() parameters use $Email and $CompanyName but you put the values into $user and $company

[Jacques1]

You can't just insert user input straight into a shell command, because this allows anybody to execute any command on the server (see Command Injection).

 

So the solution is not to change the variables. The solution is to turn your brain on while programming:

• Do you even need the command? It seems you're posting the data to a remote API, which can easily be done with PHP itself. No need for any executables.
• If you do need to execute a local program, use a safe method for passing the data. For example, pipe it to the standard input.
• If this isn't possible, you need to shell-escape the arguments.

[lynns]

Thank you all for your input. I am brand new to this and trying to figure it out as I go. I changed the variables to no avail. If I could get the exec command to work I could then move to making it more secure. But so far I'm unable to get the exec command to run from this script. Again, I can run it from the command line and it works great. I need to execute the local program and it posts to a remote API. I am not allowed to post directly to the API with PHP. I am integrating this process with another company so that's not allowed. 

[ginerjm]

I'll repeat my previous post. Did you read the manual for this command and implement the outputs that you can use to debug it perhaps?

[lynns]

Ginerjm, yes I've read it and have implemented to the best of my limited abilities. I am posting on this site to ask for assistance beyond what I've been able to do so far. 

[maxxd]

If you're trying to run something from the command line, I think you want shell_exec(). At the same point, why is the company with which you are working not allowed to post to this API with PHP only? Have you tried cURL instead? It would certainly be safer than running a shell command... Either way, you're going to have to assign the response from exec() or shell_exec() to a variable in order to use it.

[ginerjm]

Show us the code you used to call the exec now. And have you actually looked at the outputs the call returns?

[lynns]

Thank you maxxd and ginerjm. The code I've been using to call the exec is this: 

 

<?php

 

exec("Sample.exe -b https://website.com/restapi/api/xxxx -u name@company.com -p PASSWORD --name $Email --access 1 --affiliate $CompanyName --examples AddnewUserEx");

 

?>

 

If I call this php file from the command line, hardcode the name and affiliate, it runs properly and adds the new user in my partner's portal. However, it will not run from IIS. 

[Barand]

Possibly a permissions problem? I think that, when running from IIS, the user is "IUSR_computername".

[Jacques1]

exec() can capture the return value of the command. Use this.

 

It also looks like you're using a relative path for the executable. Don't do that, because PHP in an IIS context may set the current directory to something you don't expect.

<?php

exec('/full/path/to/executable ...', $output, $return_value);

var_dump($return_value);

What's the return value?

Edited September 14, 2016 by Jacques1

[ginerjm]

lynns - The format Jacques JUST showed you is what I have told you about already. And I asked a second time for you to use it. Why didn't you?

 

If you are here to ask for help, why don't you respond to it and pursue the solutions you are given? Did you EVEN read the manual as I first said? Probably not it appears. Too bad.

[lynns]

Jacques1, thank you. I do not know the return value. How do I determine this?

[ginerjm]

Jacques has showed you EXACTLY how to do what he asked. Are you not going to listen to him either?

[lynns]

ginejm ,while I appreciate your responses, your condescending attitude is repulsive and unhelpful. I told you upfront that I am new to this. I did try what he asked and nothing happened. In fact, the script did not run at. I'm looking for solutions, not argumentative repartee. 

[lynns]

Jacques1, I added the syntax you provided but the script did not run at all. On the webpage it threw a 500 error. 

 

I just tried it a different way and the return_value is: int(-532462766)

Edited September 14, 2016 by lynns

[ginerjm]

I'm condescending? And you sit there ignoring my posts from the get-go? What does that make you? And what do you think of Jacques1 after the post (I dont' see it here but my email sent it to me when he posted it) he sent you which I have excerpted below:

(From Jacques1 at 8:02pm)

I understand that you're new to PHP, but you can still exercise common sense and be a smart human being. For example: How about adding the parameters to your script? How about a bit of trial-and-error to narrow down the problem? How about looking up where IIS keeps its error log to get the actual error message?

I gave you the best answer I could as the first to respond. You ignored it and haven't shown any initiative on your own. I give up. Even Jacques1 has apparently reached his limit. In fact he probably retracted his post since it doesn't show up here any more.

[lynns]

Oh ginerjm, you're funny. You didn't, in fact, give me an answer, now did you? You instead asked me if I read the manual on the command. Which I did, and still reached out for help. I've instituted all the suggestions on this page to no avail. I've supplied the return_value, I've checked the error logs, but none of them work. I keep asking for more help because none have worked so far. If you have something constructive to say, then say it. Otherwise please leave this space for someone to add an intelligent remark.  

[lynns]

Got it all working. There was an issue with the exe so the company allowed me to access it directly so I used curl. Thank you all for trying to help, I know it was frustrating for you.  

[Jacques1]

There was an issue with the exe so the company allowed me to access it directly so I used curl.

 

That sounds a lot more reasonable than the whole exe stuff.