Pass hexdata to an externam program from PHP

Question

here is my issue: I wish to pass some hexadecimal data to an external app from PHP:

exec('echo "'.$message.'" | /usr/bin/gateway');

and $message comes from user input:

test'"/'\'/"\""//

addslashes(), stripslashes() doesn't solve my troubles. While using:

$message = stripslashes($_POST['message']);

It the console log I can see:

sh: 1: Syntax error: Unterminated quoted string

or an empty value

So I started thinking, that converting the input to hexadecimal values and passing them could help:

exec('echo -e '.$message.' | /usr/bin/gateway');

But then I got troubles passing hexadecimal data to that echo.

So my question is how to do that? I need to pass exactly the same string, that user writes, to the gateway service. - convert user input to hex form, and put it in the echo -e (how?) - or somehow fight with the quotations and slashes

Answer 1

In the general case, you cannot pass the user input through the shell because of the shell's escaping rules. What you should be doing is getting a handle on the newly spawned process's standard input stream and feed it directly.

You can use popen to do this:

$handle = popen('/usr/bin/gateway', 'w');
fwrite($handle, $_POST['message']);
pclose($handle);

If you need to do more than the example shows and popen does not provide enough functionality, proc_open is a more involved and powerful alternative.

WARNING: Feeding unfiltered user input to an external process leaves you vulnerable to exploits related to how the process interprets and acts on this input. If your application is accessible to non-trusted users, strongly consider whitelisting the input!