0

I have a web application which will be downloadable and installable on servers.

I have no idea about the server in question, all I can do is assume, so lets do that.

Server is on shared hosting Doesn't have composer Can't install anything like npm User has no idea what CLI is

So with that in mind I created a PHP script which will download composer and then install the dependencies.

The script just uses exec()

The problem is that in order to install the dependencies, the root folder would need to be writeable since Apache doesn't own the directory and as someone pointed out that is a security flaw.

I need to figure out a way of installing the dependencies from apache. Not sure if this is possible but any help is appreciated.

Here is the code I have which downloads composer and installs the dependencies:

mkdir('composer', 0777);
exec('curl -sS https://getcomposer.org/installer | php -- --install-dir=' . __DIR__ . '/composer');
exec('COMPOSER_HOME=' . __DIR__ . ' php composer/composer.phar install -d ' . dirname(__DIR__), $out, $return)

The above code is ran from /public and creates a directory in it called composer. Since that is owned by apache I can install the .phar into it and call it from there.

Cjmarkham
  • 9,484
  • 5
  • 48
  • 81
  • This is really bad idea but this might help http://stackoverflow.com/questions/17219436/run-composer-with-a-php-script-in-browser/17244866#17244866 – Danack Jul 04 '14 at 23:23

1 Answers1

1

Make the downloaded code contain the dependencies. This will avoid fiddling with calling Composer in an environment you cannot control.

And additionally, there is no benefit in doing so, because you want to call composer install, which will always install the versions locked in composer.lock - and additionally will fail doing so if the requirements of the packages are not met, like wrong PHP version or missing extensions. That is something you have to resolve yourself anyway, but your proposed code will not really help the user in any way.

So go with the bigger downloadable package that includes all the dependencies. That way you know that all the needed code is there, without having to worry about installing Composer in an uninstallable environment.

Note however that you shouldn't include the dependencies inside your repository that manages your own code. You should have some kind of packaging and release script that creates download ZIPs by adding your own code and the one installed by Composer.

Sven
  • 69,403
  • 10
  • 107
  • 109