Can I execute shell exec() function on PHP or it is prohibited?

Short answer: On Ucartz Shared Hosting plans this is not allowed. On VPS and Dedicated Server plans it is allowed with proper configuration and security controls.

What is shell_exec() and why is it restricted?

shell_exec(), exec(), system(), and passthru() let PHP run commands on the server shell. These functions are powerful and can affect the whole system if misused. On shared servers many customers run on the same machine, so these functions are disabled to protect everyone.

Policy by hosting type

  • Shared Hosting: Not permitted. Shell functions are disabled in PHP. Requests to enable them on shared servers will be declined for security reasons.
  • VPS Hosting: Permitted with care. You control the server and may enable shell functions. You are responsible for security and maintenance. See our VPS plans here: Ucartz VPS Hosting.
  • Dedicated Servers: Permitted with care. You can enable these functions on both unmanaged and managed servers. Plans: Unmanaged Dedicated Server | Managed Dedicated Server

How to enable on VPS or Dedicated

  1. Check if functions are blocked in php.ini under disable_functions. Example:
    disable_functions = exec, shell_exec, system, passthru
    Remove the functions you need, then reload PHP FPM or Apache.
  2. If you use cPanel or a similar panel, set this in the appropriate PHP Editor for the domain or modify the pool config and reload the service.
  3. Run PHP under separate users and use least privilege. Avoid running web apps as root.

Best practices and cautions

  • Validate and sanitize every input. Never pass user input directly to the shell.
  • Use absolute paths for binaries. Limit PATH and environment variables.
  • Prefer safer PHP alternatives or dedicated libraries when possible.
  • Use escapeshellarg() and escapeshellcmd() where suitable, in addition to validation.
  • Log and monitor command usage. Keep regular backups.

Example usage on VPS or Dedicated

<?php
$cmd = '/usr/bin/whoami';
$output = shell_exec($cmd);
echo htmlspecialchars($output, ENT_QUOTES);
?>

This simple example uses a fixed command and escapes output before printing. Do not build commands from untrusted input.

Need help?

If you want our team to enable or review shell functions on your VPS or Dedicated server, open a ticket with details of your use case: Contact Support.

Summary

這篇文章有幫助嗎? 0 用戶發現這個有用 (0 投票)