0

I want to call an external php script that generates docx files with one of the docx php document creator I'm using.

I'm wondering if I should use exec('/path/to/script.php $pass_var1 $pass_var2 $pass_var3 $pass_var4 $pass_var5 $pass_var6');

or 

system('/path/to/script.php $pass_var1 $pass_var2 $pass_var3 $pass_var4 $pass_var5 $pass_var6');

will it pass in the $pass_var1 into the script.php as $pass_var1? if I were to call it in the script? which one would be a better function to use for this purpose?

unixmiah
  • 3,081
  • 1
  • 12
  • 26
  • 1
    You should check this question: https://stackoverflow.com/questions/732832/php-exec-vs-system-vs-passthru – NaeiKinDus Dec 22 '14 at 17:51
  • no, it won't, because `'`-quoted strings do not expand/interpolate variable values. you're passing literal `$`, `p`, `a`, etc... chars to the shell. – Marc B Dec 22 '14 at 17:53

2 Answers2

1

Variables are expanded inside double quotes, not inside single quotes. You need to use

system("/path/to/script.php $pass_var1 $pass_var2 $pass_var3 $pass_var4 $pass_var5 $pass_var6");

Also, you may need to use escapeshellarg when setting all the $pass_varN variables, if they come from untrusted user input.

Barmar
  • 741,623
  • 53
  • 500
  • 612
  • Thank you, this was a great answer. I will make sure to use escapeshellarg although this app is internal. But you never know. – unixmiah Dec 22 '14 at 18:01
  • I used escapeshellarg when passing in the vars to the script and used $argv to parse the array of values which were passed in as args in the script which was called from the system() function. – unixmiah Dec 23 '14 at 16:56
0

You'd probably want to integrate the script directly in to your project using include or require. Using system() or exec() can be very dangerous, as it could allow a user of your web application to execute almost anything on your webserver. With regards to your question, I believe it is partially answered here What are the differences of system(), exec() and shell_exec() in PHP?

Either

exec("php -f /path/to/script.php $params")

Or

system("php -f /path/to/script.php $params")

Should work

Community
  • 1
  • 1
NoCode
  • 471
  • 3
  • 9
  • that's a good point and I would be worried if the app was facing a public domain. this is an internal app, i don't mind using it. what does the php -f flag do? – unixmiah Dec 22 '14 at 18:04
  • The -f flag tells it to parse and execute that file, but I suppose it also works without. – NoCode Dec 22 '14 at 18:34