Command Line Commands with PHP
The Command Line PHP software provided with this article lets you send commands to the server's operating system even with hosting accounts that don't have command line capabilities.
Unless you have your own server or virtual server, your account won't have command line capabilities – sending commands directly to the operating system software or running its utilities. It's generally done via a terminal with telnet or SSH.
The Basic UNIX Commands page contains a short list of Unix commands and utilities (Linux are similar). A search for "UNIX commands" or "Linux commands" will find more references.
The command that started me thinking about this article is the "which" command. Specifically, "which php". I needed to know where PHP was installed at a client's website and didn't have command line available via terminal. So I made a quick PHP script to send the command to the operating system and get the response.
(Don't know why the utility to locate certain system software installation locations is named "which," but that's what it is.)
I quickly found out where PHP was installed.
Then I expanded the script to make it user friendly.
What commands you can run with Command Line PHP depends on what the hosting company allows you access to. (Unix commands are traditionally short and abbreviated, sometimes cryptic. Linux is derived from Unix.)
Try these commands:
-
which sendmail
The server location of sendmail. -
which perl
The server location of perl. -
which php
The server location of php. -
ls
(The letter l, not the digit 1.)
A list of files in the current directory."ls" can be thought of to mean "list."
-
ls -l
(The letter l both places, not the digit 1.)
A list of files in the directory with sizes, times, and permissions.The "-l" is a flag. A flag is a directive for the utility causing it to function different than default behavior. "-l" is a flag telling the utility to respond with "long" descriptions."
-
ps
A list of processes currently running on the server."ps" can be thought of to mean "processes."
-
ps ?
A list of flags available for use with the ps utility. Flags modify the behavior of a utility, generally but not always resulting in different output. -
ps -ACejw
A list of current processes with more information than you'll know what to do with. (Some hosting accounts may disallow some of the flags.) -
curl http://www.google.com/
Request the web page at http://www.google.com/ using the curl utility. (May be useful for retrieving a web page with your server's IP address instead of your regular internet connection IP address. The IP address is your server's IP address because the curl utility on your server requests the page.)
Here is the source code for the Command Line PHP software.
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<title>Command Line</title>
<style type="text/css">
body { margin:0; font-family:sans-serif; font-size:14px; }
th { font-size:.8em; }
p, li, td { font-size:1em; line-height:120%; }
h1 { font-size:1.8em; }
h2 { font-size:1.6em; }
h3 { font-size:1.4em; }
h4 { font-size:1.2em; }
h5 { font-size:1em; }
a { text-decoration:none; color:#1c5292; font-weight:bold; }
a, a img { border:none; outline:none; }
.normal { font-weight:normal; font-style:normal; font-decoration:none; }
#content { margin:0 0 0 150px; padding:75px 0 100px 50px; width:550px; border-left:6px groove #2F83E5; }
.inputfield { width:300px; padding:7px 3px 5px 4px; font-family:sans-serif; font-size:1em; line-height:1em; border:1px solid black }
.submitfield { width:311px; font-weight:bold; } /* input width plus left-right padding plus left-right border */
</style>
</head>
<body><div id="content">
<div style="position:fixed; left:50px; top:50px;">
<a href="//www.willmaster.com/">
<img src="//www.willmaster.com/images/wmlogo_icon.gif" style="width:50px; height:50px; border:none;" alt="Willmaster logo">
</a>
</div>
<h1 style="position:relative; top:-30px; letter-spacing:1px;">Command Line</h1>
<?php
$goahead = false;
if( isset($_POST['command']) and strlen($_POST['command']) )
{
$goahead = true;
$_POST['command'] = stripslashes(trim($_POST['command']));
}
?>
<?php if($goahead): ?>
<p>Command: <b><?php echo( htmlspecialchars($_POST['command']) ); ?></b></p>
<pre>
<?php
$command = $_POST['command'];
echo `$command`;
?>
</pre>
<hr width="200" style="margin:25px 0px 25px 0px;">
<h3>Another?</h3>
<?php endif; ?>
<form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>">
<p>
Type the command:<br>
<input type="text" class="inputfield" name="command" value="<?php echo( htmlspecialchars(@$_POST['command']) ); ?>">
</p>
<div style="position:relative;">
<p>
<input type="submit" class="submitfield" value="Run Command" onclick="WorkingOn()">
</p>
<div id="working" style="display:none; position:absolute; top:-15px; left:-5px; border:5px solid gold; width:300px; background-color:white; color:gold; font-size:18px; font-weight:bold; font-family:verdana,sans-serif; padding:10px; text-align:center;">
Working...
<div style="position:absolute; top:-1px; right:0px; font-size:11px; font-weight:bold; color:blue; cursor:pointer;" onclick="WorkingOff()">[X]</div>
</div>
</div><!-- style="position:relative;" -->
</form>
<script type="text/javascript">
function WorkingOn() { document.getElementById("working").style.display="block"; }
function WorkingOff() { document.getElementById("working").style.display="none"; }
</script>
</div></body></html>
Save the source code as commandline.php. (Or save it as sdfrr9830SKSDD.php for security reasons. See "Security Considerations" further below.)
Upload it to your server and type its URL into your browser.
Specify the command you want to run and click the "Run Command" button.
Security Considerations
It is prudent to protect the script from use by the the general public. It isn't their business what your directory names are. Knowing the directory names might give a cracker information from which s/he can deduce enough to do damage.
Protection by obfuscation is one way. Not the best way, but generally better than nothing at all. Obfuscation is naming the script file something unlikely to be guessed. Or putting the script into a subdirectory with such a name.
Protection by password is better. Put the script into a password protected directory.
Protection by disabling the script is better still. Rename the script with a .txt or .cgi extension to disable its use. The source code might be viewed, but the script can't be used as named.
Protection by removal is best of all. Upload the script only when you wish to use it. Use the script. Then immediately delete the script from the server.
Command Line PHP lets you send commands to the server's operating system even with hosting accounts that don't have command line capabilities.
Will Bontrager
