Page 1 of 1

passing variable to exec function

Posted: Fri Jul 15, 2011 6:35 pm
by quky
Ok I am new to php so bear with me
I am trying to pass some variables to an exec function like

Code: Select all

<?php 
$val0 = $_GET['tstart']; /// int value 
$val1 = $_GET['tduration']; /// int value 
$val2 = $_GET['Rname'];  /// string value 
//// cropfile.php?tstart=30&tduration=40&Rname=foo.mp3 
echo "the word is:  $val0  and $val1"; 
exec('ffmpeg -ss intval($val0) -t intval($val1) -i $val2 -acodec copy newfoo.mp3 2>&1 &', $out, $rv);
echo "output is:<br>\n".implode("<br>\n", $out)."<br>\nexit code:$rv<br>\n"; 
?>
And for some reason is not taken the values
the syntax
is exec('ffmpeg -ss 00:00:30.00 -t 25 -i foo.mp3 -acodec copy -y bar-new.mp3 2>&1 &', $out, $rv);
What I am missing here
Best Regards
HP :mrgreen:

Re: passing variable to exec function

Posted: Sat Jul 16, 2011 1:05 am
by twinedev
You cannot use variables directly inside of single quotes, you need to either use double quotes, or (for better readability IMO), use them outside of the quotes.

Code: Select all

exec("ffmpeg -ss intval($val0) -t intval($val1) -i $val2 -acodec copy newfoo.mp3 2>&1 &", $out, $rv);
or

Code: Select all

exec('ffmpeg -ss intval('.$val0.') -t intval('.$val1.') -i '.$val2.' -acodec copy newfoo.mp3 2>&1 &', $out, $rv);
See http://php.net/manual/en/language.types.string.php for more info on the difference between singe and double quotes.

-Greg

Re: passing variable to exec function

Posted: Sat Jul 16, 2011 8:50 am
by AbraCadaver
You never want to trust user submitted data and don't want to pass it to exec() un-escaped: http://us2.php.net/manual/en/function.e ... ellarg.php

Re: passing variable to exec function

Posted: Mon Jul 18, 2011 8:15 pm
by beetree
AbraCadaver wrote:You never want to trust user submitted data and don't want to pass it to exec() un-escaped: http://us2.php.net/manual/en/function.e ... ellarg.php
Re-read above stated. If you bring the code without escaping the arguments you will most likely get hacked if your site attracts any volume. Not escaping means anyone can run any command as the webserver-user.