0
<form action="index.php" method="POST">
<input name="field1" type="text" />
<input type="submit" name="submit" value="Save Data">
</form>

<?php
    field=$_POST["field1"]
    exec('command 2>&1' $output);
    print_r($output);
?>

I am trying to append field to the end of the exec. Field is variable and gets its value from the user by using html form. However I get server 500 error probably because I am using it wrong.

I have tried:

exec('command 2>&1', $field, $output);
exec('command $field 2>&1', $output);
exec('command 2>&1', .$_POST["field1"]. $output);

How to use this properly?

Aᴍɪʀ
  • 7,623
  • 3
  • 38
  • 52
blackflamingo
  • 1
  • `command {$output} 2>$1;` But it's terribly wrong and not secure. – Axalix Dec 24 '15 at 18:30
  • What if I check the field1 value is something that I want from user or not by using if before that? – blackflamingo Dec 24 '15 at 18:34
  • "exec" + data from the "outside" is a potentially dangerous combination. If you can guarantee full control over the data you execute, it works. – Axalix Dec 24 '15 at 18:36

3 Answers3

1

Use shell_exec:

<?php
    field = $_POST["field1"];
    $output = shell_exec("command 2>&1 ". escapeshellarg($field));
    print_r($output);

?>
RomanPerekhrest
  • 88,541
  • 4
  • 65
  • 105
0

Try:

exec("command $field 2>&1", $output);

See What is the difference between single-quoted and double-quoted strings in PHP?

But since the field comes from unvalidated user input, you should escape it first.

exec('command ' . escapeshellarg($field) . ' 2>&1', $output);
Community
  • 1
  • 1
Barmar
  • 741,623
  • 53
  • 500
  • 612
0
    exec('command ' . escapeshellarg($_POST["field1"]) . ' 2>&1', $output);
    print_r($output);

Thank you everyone who posted message to my question. The code above works for me.

blackflamingo
  • 1