Name

passthru()

Synopsis

    void passthru ( string command [, int &return_var] )

The passthru() function runs an external program, specified in the first parameter. It prints everything output by that program to the screen, unlike the exec(), which prints out only the final line of output that the program generates.

    passthru("who");

This function is helpful if you don't want to worry about how many lines the program returned. For example, many sites use the Unix command fortune with passthru("fortune") to get a quick and easy random quote for the bottom of their pages.

Warning

Taking user input and passing it into passthru() functions (or any other program execution function) is very dangerous. If you really must use user data as input to your program calls, pass it through the special function escapeshellcmd() first—it takes your input, and returns it in a safe format that can be used.

For example, you might have a script that allows people to search files in a directory for a word they enter into a web form, with the crux of the script looking something like this:

    passthru("grep {$_GET["search"] /var/www/meetinglogs/*");

That works fine as long as you can trust the people calling the script, but it's very easy for them to send "nonexistent; cat /etc/passwd; #" as the search field, which causes your grep command to run on an existing file and then print out the contents of your system password file. The # symbol is a shell comment, causing the rest of your original command to be ignored. ...

Get PHP in a Nutshell now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial