1

My LAMP server is CentOS 7.4 with Apache 2.4, PHP 5.4, and Python 3.6.

I am new to Python; I migrated from R to Python just now. I need some Python package to do statistics, and then deliver the output to PHP.

I reviewed lots of similar questions. The answers are around exec(), passthru(), system(), and shell_exec(). They are dangerous commands and should not be enabled in PHP.

In the Python official manual, "Integrating Python With Other Languages", mentioned are only two tools, ppython and PHP "Serialize" in Python. ppython seemed no longer maintained, but that's what I need, just like Rserve when I use R.

I also read this post:

Simple and standard solution is using Socket or Webservice(API)

Now, how do I run a Python script in PHP without using exec(),system()...(maybe socket communication)?

Improve this question
3
  • You need to have one of these commands. If you're worried that somebody may do things using that command, have it on an another environment and use an API call to execute it. Commented Mar 18, 2019 at 7:49
  • 1
    They are only dangerous if you don't know where the command they are executing is coming from. If you construct the command in your own program, it is no different from executing that command yourself from a console. And why should you not do that? Commented Mar 18, 2019 at 8:08
  • I agree that those methods are dangerous, but only when you don't do it the right way. Some application passes user input into those methods without sanitizing, then it's dangerous. If you just execute your script then it's OK. Also make sure your python script is safe as well. Commented Mar 18, 2019 at 8:13

3 Answers 3

Reset to default
2

Everything is dangerous (even a fork) if you don't know how to use it. Well, you have several options:

  1. Standard: Running the Python interpreter in PHP with exec() / shell_exec(), etc. Plus there will be a small latency and ability to run Python compiled byte-code, so performance wins here.

  2. Non-standard: If you are concerned a lot about security issues at hand I suggest better to insert Python commands into some batch table and run these regularly with the CRON scheduler. After execution, fetch results with PHP. In this way PHP / Python execution will be de-coupled and you will have a better control on how / when to execute Python scripts.

  3. Non-standard (avoid at all costs): Your mentioned project is moved to Git at php-python. It simply starts a new Python server on port 21230 and waits for Python commands from a PHP scripts. Now, THESE solutions are a most dangerous one, because of the additional opened port in the web server, which is a big headache to administrators and thus highly not recommended.

  4. The last option is to question an assumption that Python is needed at all in web development of PHP. The more different languages in the company IT farm - the harder it will be to maintain all sources and harder to beat time-to-market of new features / bugs fixing. So before considering execution of Python script(s), at first think about re-writing them to plain PHP.

    You can do it automatically, but these type of translators are very error-prone and incomplete - for example this one doesn't supports imports. (What the hell? Python without imports is like a bread without a flour). The second option is to learn Python and re-write code at hand into PHP. Or simply get a customer requirements and code these into PHP. Everything that can be done in Python, can be done in PHP too (at least in web development perspective).

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Is there any socket solution?maybe socket better than port.
Socket is just a fancy name of IP + port pair. And NO, you have to open some port with sockets - thus a big potential security breach
how about this post,Simple and standard solution is using Socket or Webservice(API)
With webservice you can solve a problem of additional port, because many WS uses standard http port. But still you are left with another security breach - if user can pass to webservice arbitrary Python code for execution - then you lost, because hacker can pass in something like shutil.rmtree('C:\Windows\'). So you are forced to a very limited set of Python commands execution (error-prone too) or to a pre-defined scripts in a web server folder which is no different from executing them directly with exec(). Result is that you gain nothing with webservices here.
So my box is hosted through a company called Kinsta... They have the su password... and don't give it out... and it so happens that they have all of the standard methods locked down (shell_exec, exec, passthru, etc) :( ... Why does life have to be so hard?
1

Convert your Python script to the Django REST API, and then call it using cURL.

Improve this answer

2 Comments

Does API automatically convert data type between python and php?
You can send receive data as json, so the parameter having datatype before converting it to json will be preserved after receiving the json data.
0

PHP has the escapeshellcmd() function which escapes dangerous commands from input fed into the exec() system() and similar functions. This will enable you to have the functionality you're looking for without introducing major BASH security vulnerabilities. More about that here.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.