Using Perl exec

newbe.....  know enough to be dangerous
Want to run a perl script from a php script

$cmd = "../../../cgi-bin/RentUpdate1.pl
$aryVars = array();
$intRet = 1;
$lastLine = exec($cmd, $aryVars, $intRet) ;


$aryVars = array(); // this is my problem, I need to provide this on the end of the cmd
   ?ID=$ID_1&action=save&password=''&avail=No&Name=$LName&Due=$DueItemA
as in:
"../../../cgi-bin/RentUpdate1.pl?ID=$ID_1&action=save&password=''& avail=No&Name= $LName &Due=$DueItemA"
as in:
"../../../cgi-bin/RentUpdate1.pl?ID=$ID_1&action=save&password=''& avail=No&Name= $LName &Due=$DueItemA"


or a better way if known?  "can't use require"
tomrectorAsked:
Who is Participating?
 
FishMongerConnect With a Mentor Commented:
Sorry, I guess I misread your statement and interjected my misunderstanding.

The explanation of your security concern would not only apply to executing a script from the cgi-bin, but to any outside code executed via the exec function that returns data to be processed.  I can't say how valid that concern is without a valid example that can be tested and were the vulnerability is exposed.
0
 
ozoConnect With a Mentor Commented:
why not $cmd = "../../../cgi-bin/RentUpdate1.pl?ID=$ID_1&action=save&password=''& avail=No&Name= $LName &Due=$DueItemA" ?
0
 
Brian UtterbackConnect With a Mentor Principle Software EngineerCommented:
I think I see your problem. You are trying to invoke a CGI perl script from the command line by using the same string as you would expect to give it when calling it from the URL. That won't work the way you expect. The web server parses the URL and then passes different parts of the argument to the script in the form of environment variables. But when you invoke a command from the command line or a script you are passing the arguments through a shell not a webserver and the shell doesn't know that it needs to parse the argument like a webserver.

Some CGI script packages allow you to pass the arguments on the command line, but the syntax may be a little different. It depends on what package you used. Can you post the first few lines of the RentUpdate1.pl script, the parts with the "requires" lines so I can see what CGI package you are using?
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
ozoConnect With a Mentor Commented:
If you are trying to invoke a CGI script, and the perl program is not designed to take CGI arguments from the command line QUERY_STRING environment variable
0
 
arnoldConnect With a Mentor Commented:
Blu, covered that envoking the perl script requires that you set environment variable for query_string which will have the data/string after ? (ID=........)

The other issue you face is that the response from this script is likely HTML based/formatted data.

It might be simpler to integrate/convert/translate the functionality of the cgi-script into your php as a function.

Another option is to use curl to generate a web request to your cgi-bin.
http://www.higherpass.com/php/tutorials/Using-Curl-To-Query-Remote-Servers/
0
 
Slick812Connect With a Mentor Commented:
greetings  tomrector, , I do not have a solution for using both CGI perl AND PHP, , but I can tell you from experience that it is a BAD IDEA to try and use both CGI and PHP at the same time, these are TWO DIFFERENT web server languages and setups, although you can get some code to seemingly work using both, it was inconsistent in my efforts, and when I talked to my host Server support staff, they said that they would NOT help me or support my efforts to use both at the same time because of a large number of problems that this might cause in the code execution. They told me I should use One or the Other, but never both in any web page production, and now I believe them! after trying methods to use both.
You should get the methods or code for what the  RentUpdate1.pl  does, and then write this in PHP.
0
 
FishMongerConnect With a Mentor Commented:
While I do agree that using both PHP and Perl may not be the best solution, but it's not hard to do and is often done in commercial apps.  One such app that I work with is Vicidial which is an open source Call Center Suite for the Asterisk PBX.

Since the perl script is being executed via the exec() function, you need to adjust the command so that it could be executed directly from the command line.

This should work:
$cmd = "../../../cgi-bin/RentUpdate1.pl ID='ID_1' action='save' password='' avail='No' Name='LName' Due='DueItemA'";

Open in new window


And here's my test case, which I tested this on Windows, but should also work on *nix after adjusting for the difference in quoting in the command.

RentUpdate1.pl
#!usr/bin/perl

use strict;
use warnings;
use CGI;
use Data::Dumper;

my $cgi = CGI->new;
my %params = $cgi->Vars;

print $cgi->header,
      $cgi->start_html,
      $cgi->pre(Dumper \%params),
      $cgi->end_html;

Open in new window


c:\test>RentUpdate1.pl ID='ID_1' action='save' password='' avail='No' Name='LName' Due='DueItemA'
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html
        PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<pre>$VAR1 = {
          'ID' => '\'ID_1\'',
          'password' => '\'\'',
          'action' => '\'save\'',
          'Due' => '\'DueItemA\'',
          'Name' => '\'LName\'',
          'avail' => '\'No\''
        };
</pre>
</body>
</html>Due='DueItemA'
0
 
FishMongerConnect With a Mentor Commented:
Basically, all you need to do is replace the & with a space and possibly put quotes around the value of each param.
0
 
arnoldConnect With a Mentor Commented:
The issue the asker is facing once the cgi scrip executes is that the data might be in HTML format that then needs to be parsed in order to extract the information of interest to the asker.
Of course this script can be modified to output the data as plain text.
By altering the content-type: print statement as well as removing any HTML related code/data.
0
 
FishMongerCommented:
arnold,

How does that invalidate my suggestion?

The problem the OP is having is in formatting the command correctly so that it can be executed via the exec() function.  The type of output that is generated/captured and its processing wasn't part of the question, as far a I can tell.

Here's a working/tested example php script that calls the perl script.  I adjusted the perl script to only output the params data.
#!usr/bin/perl

use strict;
use warnings;
use CGI;
use Data::Dumper;

my $cgi = CGI->new;
my %params = $cgi->Vars;

print $cgi->pre(Dumper \%params);

Open in new window

<?php
    $ID_1 = 123;
    $LName = 'lastname';
    $DueItemA = 'today';
    $cmd = "perl ../cgi-bin/RentUpdate1.pl ID=$ID_1 action=save password='' avail=No Name=$LName Due=$DueItemA";
    $script_output = array();

    exec($cmd, $script_output, $intRet);
    print_r($script_output);
?>

Open in new window


PHP Output:
Array
(
    [0] => <pre>$VAR1 = {
    [1] =>           'ID' => '123',
    [2] =>           'password' => '',
    [3] =>           'action' => 'save',
    [4] =>           'Due' => 'today',
    [5] =>           'Name' => 'lastname',
    [6] =>           'avail' => 'No'
    [7] =>         };
    [8] => </pre>
)
0
 
arnoldConnect With a Mentor Commented:
FishMonger, at no point did I suggest that a solution to the askers direct question was invalid, was just pointing out that while the asker works on resolving this cgi-bin script execution interaction with their existing PHP code, the more complex an inevitable question will come up depending on the data within the cgi-bin script, will come up is how to get the data out of an HTML formatted page.
The other issue that I just thought of/realized is that using a cgi-bin, as a gateway to data a php script needs may open the asker's data to be compromised.
vi an errand web server hiccup where it prints out the raw data from a PHP page versus the processed HTML result.
i.e. web server, php update, an issue with modification where php functionality is commented out.

Calling external scripts/data sources when the PHP code can include that functionality contributes unnecessarily an additional load/transaction on the system that it does not need.

It is highly possible that once a modification of the php code is initiated, the setup might be further simplified.

An apt analogy would be a bank teller having to call an outside party to get the key to access the safe. or to send to this third party items that need to be added/removed from the safe within the bank.
A simplification would be to have a trusted person/s within the bank with higher level access to access the safe.
0
 
arnoldConnect With a Mentor Commented:
The exposure as a simple example deals with a typo on the filename that is then pushed/treated as plain text.

Save the filename as .phop. Using IDE to create the site, the .phop is referenced as a link.
.....

A interaction using curl with an external resource is one thing,
The script currently stored in cgi-bin need not be there since the execution occurs within the server/php rather than called back to the web server for processing.
0
 
Brian UtterbackConnect With a Mentor Principle Software EngineerCommented:
From the Perl CGI docs on debugging:

If you are running the script from the command line or in the perl debugger, you can pass the script a list of keywords or parameter=value pairs on the command line or from standard input (you don't have to worry about tricking your script into reading from environment variables). You can pass keywords like this:
    your_script.pl keyword1 keyword2 keyword3
or this:
   your_script.pl keyword1+keyword2+keyword3
or this:
    your_script.pl name1=value1 name2=value2
or this:
    your_script.pl name1=value1&name2=value2
To turn off this feature, use the -no_debug pragma.

So, as I said at the beginning, some CGI packages support getting there parameters from the command line, and in your case, yours does. So FishMonger had the right instructions, simply change the URL keyword parameters to command line parameters and keyword value pairs into command line keyword value pairs.
0
 
tomrectorAuthor Commented:
Sorry I have not responeded been busy...

Still no luck,,

To be clear:
this works from the address bar
http://www.MYSITE.com/cgi-bin/RentUpdate1.pl?ID=2130&action=save&password=''&avail=No&Name=Rector&Due=08 Sep 2013
 
I need that to work calling it from a php script.
 i.e.
http://www.MYSITE.com/cgi-bin/RentUpdate1.pl?ID=$ID_1&action=save&password=''&avail=No&Name=$LName&Due=$DueItemA

I do not really need any additional resulting output.



Thanks
0
 
FishMongerConnect With a Mentor Commented:
Please post the code you tested and what output you received and how that differs from what you expected.
0
 
arnoldConnect With a Mentor Commented:
Look at using curl within php to access the script through a query to the webserver.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.