Support » Developing with WordPress » wp option update home via shell_exec not working using variable

  • Resolved heartagram

    (@heartagram)


    Hey guys,

    This is my first time asking for help here. Not that savy with php and html , however got some of the basics in there.

    Basically I am trying to set-up a php function using a form when you can type-in URL of a website in order to update the WP home and siteurl directly. So far I got this (tried couple of different versions so far):

    <form action=”todtest.php” method=”post”>
    <input type=”hidden” name=”act14″ value=”run”>
    <input type=”text” value=”NewURL”>
    <input type=”submit” value=”Submit”>
    </form>
    <h4> THIS WILL WORK WITH WORDPRESS SITE! </h4>

    <?php
    if (!empty($_POST[‘act14’])) {
    $newurl = $_POST[‘NewURL’];
    $inod2 = “wp option update home ‘”.$newurl.”‘ ; wp option update siteurl ‘”.$newurl.”‘”;
    $inod1 = (string) $inod2; //shell_exec raboti podobre ako commandata e v string format
    $output = shell_exec($inod1);

    echo “

    $output

    “;

    }
    ?>

    When I execute it I get this output:

    Success: Value passed for ‘home’ option is unchanged.
    Success: Value passed for ‘siteurl’ option is unchanged.

    I also tried using URL instead of the variables I added there on that line:

    $inod2 = “wp option update home ‘”.$newurl.”‘ ; wp option update siteurl ‘”.$newurl.”‘”;

    With URL such as http://something is working just fine and is updating but not with the ‘”.$newurl.”‘ var that I have set-up into the form. Can you please guys give me a hint on how to make this work properly ? Thank you!

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • I don’t know the answer sorry, but sounds like a bit of a security nightmare for something that doesn’t take very long through the Dashboard or even phpMyAdmin.

    Thank you for the commend!

    THe shell_exec should execute a shell command directly through a php file. That is the wp-cli command to update the options table (more accurate – the Home and siteurl rows) and update a new URL for them to open the WP site.

    However my basic form seems to be missing something that I am not fully aware of 😀

    Just another lazy way to put shell commands to help you manage a WP site directly through it , without accessing the server via SSH. (more of a hobby thing I have to pass the time at the moment 🙂 )

    Hope someone can help with that 🙂

    Hey guys,

    Just found the solution if anyone finds it interesting. Again my lack of basic knowledge 😀

    Forgot to add name to the form as in bellow:

    <input type=”text” value=”http://example.com”>

    And here is the correct one :

    <input type=”text” value=”http://example.com” name = ‘TheNewURL’>

    Here is the full result:

    <form action=”todtest.php” method=”post”>
    <input type=”hidden” name=”act14″ value=”run”>
    <input type=”text” value=”http://example.com” name = ‘TheNewURL’>
    <input type=”submit” value=”Submit”>
    </form>
    <h4> THIS WILL WORK WITH WORDPRESS SITE! </h4>

    <?php
    if (!empty($_POST[‘act14’])) {
    $newurl = $_POST[‘TheNewURL’];
    $inod2 = “wp option update home ‘”.$newurl.”‘ ; wp option update siteurl ‘”.$newurl.”‘”;
    $inod1 = (string) $inod2; //shell_exec raboti podobre ako commandata e v string format
    $output = shell_exec($inod1);

    echo “

    $output

    “;

    }
    ?>

    That got it working perfectly 🙂

    Holy site vulnerability Batman! Please tell me you aren’t using that code in a production environment…

    You should be using the update_option() function:

    https://developer.wordpress.org/reference/functions/update_option/

    Doing a sanity check on the $_POST data wouldn’t be a bad idea, either. 🙂

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.