This section contains various topics that come up during application development, concerning both R and PHP, and their integration.
Rscript can process R files with additional parameters supplied on the command line, e.g. if a script test.r is called as in this example:
Rscript test.r 12
then the parameter supplied can be accessed within test.r by the following statement:
arg <- commandArgs(trailingOnly = TRUE)[1]
Note that the value from commandArgs() is a text; if it is used in calculations it has to be converted to numeric format:
x <- as.numeric(arg)
Sometimes user input is desired which should be passed to an R script as command line parameters. The HTML form is e.g.
<form action=test.php method=POST> <table> <tr> <td> Mu: <td> <input type=text name=mu> <tr> <td> <td> <input type=submit value=OK> </form>
The content of the input field mu can be accessed in the PHP script test.php by $_POST[mu], e.g.
$mu = $_POST[mu];
if (is_numeric($mu)) { echo shell_exec("Rscript test.r $mu"); }
else { echo "input is not numeric: ", $mu; }
Note that this only makes sense when the PHP code above is called as the action of the HTML form, otherwise $_POST is empty.
The contents of the input field has to be checked before passing it to shell_exec(), otherwise an attacker can achieve execution of additional (and usually malicious) code. In the example above the check is_numeric() should take care of that.
Sometimes text strings have to be constructed on the fly from several components, such as an SQL statement with a restriction on a given value x, where the contents of x came from another part of the system, e.g., command line parameters:
x <- as.numeric(arg)
sql <- paste("select id from product where price < ", x, " order by id")
res <- dbGetQuery(con, sql)
Using the paste() function the value of x is inserted into the text variable sql. That variable is then passed to dbGetQuery() for execution.
Again, the contents of x must be checked for attacks before being made part of an SQL statement, otherwise the dreaded SQL insertion is possible i.e. execution of additional SQL code. In the example above the conversion to numeric should take care of that.
Various commands create images in the current directory, e.g.
jpeg("hist.jpg")
hist(somedata)
dev.off()
If this code is executed interactively with Rscript there is no problem. However, when called from PHP, e.g.
<?php
shell_exec("Rscript hist.r")
?>
the web server needs permission to write to the file. Enter the following command (once the image file exists):
chmod +w hist.jpg
to allow the apache server (which calls PHP, which in turns calls R) write access to the file.
This solution is not ideal, as every user on the server can now write to that file. A better solution would be to change ownership for the file to www-data (the user id of the web server), but this option is only available to the root user:
chown www-data hist.jpg