php代码执行原理（php代码运行的方法）

Windows

Windows下终端一般为cmd.exe、powershell.exe等，这里以cmd来测试。终端指令执行原理同上述Linux讲解原理相同，分为终端内置指令与外部调用指令。

那么，针对Windows平台可执行终端，如何进行终端内建指令的判断与查看呢。可惜Windows平台终端不像Linux终端存在相应的type指令进行判断与enable、help指令查看所有内建指令。不过在Windows终端里可以借助where或set PATH指令进行指令判断。

第一种：where指令【不太友好】

从系统环境变量PATH里面定位查询（注意人为增添的环境变量的影响），如果能查到一般来说可以判定为外部调用指令（排除非系统特殊目录），否则为内部调用指令（排除不存在指令）

# 外部调用指令 C:\Users\Qftm>where whoami C:\Windows\System32\whoami.exe C:\Users\Qftm> # 内部调用指令 C:\Users\Qftm>where cd INFO: Could not find files for the given pattern(s). C:\Users\Qftm> # 不存在指令 C:\Users\Qftm>where qftm INFO: Could not find files for the given pattern(s). C:\Users\Qftm> # 内部调用指令（排除人为增添的环境变量的影响）（排除非系统特殊目录） C:\Users\Qftm>where echo D:\QSoftware\W3Server\phpstudy2019\Extensions\MySQL5.7.26\bin\echo.exe C:\Users\Qftm>

第二种：set path指令【友好】

将系统环境变量临时设置为null，然后对指令进行帮助查询，如果能查到则判定为内置指令，否则为外部调用。

# path置空 C:\Users\Qftm>set path= C:\Users\Qftm>path PATH=(null) C:\Users\Qftm> # 内部调用指令 C:\Users\Qftm>cd /? Displays the name of or changes the current directory. CHDIR [/D] [drive:][path] CHDIR [..] CD [/D] [drive:][path] CD [..] .. Specifies that you want to change to the parent directory. Type CD drive: to display the current directory in the specified drive. Type CD without parameters to display the current drive and directory. Use the /D switch to change current drive in addition to changing current directory for a drive. If Command Extensions are enabled CHDIR changes as follows: The current directory string is converted to use the same case as the on disk names. So CD C:\TEMP would actually set the current directory to C:\Temp if that is the case on disk. CHDIR command does not treat spaces as delimiters, so it is possible to CD into a subdirectory name that contains a space without surrounding the name with quotes. For example: cd \winnt\profiles\username\programs\start menu is the same as: cd "\winnt\profiles\username\programs\start menu" which is what you would have to type if extensions were disabled. C:\Users\Qftm> # 外部调用指令 C:\Users\Qftm>whoami /? 'whoami' is not recognized as an internal or external command, operable program or batch file. C:\Users\Qftm> # 不存在指令 C:\Users\Qftm>qftm /? 'qftm' is not recognized as an internal or external command, operable program or batch file. C:\Users\Qftm>

注意：Windows下终端help指令并不能够查询终端内建指令：首先help指令为外部调用指令，然后help指令查询出的所有指令=(内建指令外部指令)

# help：属于外部指令 C:\Users\Qftm>where help C:\Windows\System32\help.exe C:\Users\Qftm> # help：内建指令外部指令（不同于Linux下bash等终端） C:\Users\Qftm>help For more information on a specific command, type HELP command-name ASSOC Displays or modifies file extension associations. ATTRIB Displays or changes file attributes. BREAK Sets or clears extended CTRL C checking. BCDEDIT Sets properties in boot database to control boot loading. CACLS Displays or modifies access control lists (ACLs) of files. CALL Calls one batch program from another. CD Displays the name of or changes the current directory. CHCP Displays or sets the active code page number. CHDIR Displays the name of or changes the current directory. CHKDSK Checks a disk and displays a status report. CHKNTFS Displays or modifies the checking of disk at boot time. CLS Clears the screen. CMD Starts a new instance of the Windows command interpreter. COLOR Sets the default console foreground and background colors. COMP Compares the contents of two files or sets of files. COMPACT Displays or alters the compression of files on NTFS partitions. CONVERT Converts FAT volumes to NTFS. You cannot convert the current drive. COPY Copies one or more files to another location. DATE Displays or sets the date. DEL Deletes one or more files. DIR Displays a list of files and subdirectories in a directory. DISKPART Displays or configures Disk Partition properties. DOSKEY Edits command lines, recalls Windows commands, and creates macros. DRIVERQUERY Displays current device driver status and properties. ECHO Displays messages, or turns command echoing on or off. ENDLOCAL Ends localization of environment changes in a batch file. ERASE Deletes one or more files. EXIT Quits the CMD.EXE program (command interpreter). FC Compares two files or sets of files, and displays the differences between them. FIND Searches for a text string in a file or files. FINDSTR Searches for strings in files. FOR Runs a specified command for each file in a set of files. FORMAT Formats a disk for use with Windows. FSUTIL Displays or configures the file system properties. FTYPE Displays or modifies file types used in file extension associations. GOTO Directs the Windows command interpreter to a labeled line in a batch program. GPRESULT Displays Group Policy information for machine or user. GRAFTABL Enables Windows to display an extended character set in graphics mode. HELP Provides Help information for Windows commands. ICACLS Display, modify, backup, or restore ACLs for files and directories. IF Performs conditional processing in batch programs. LABEL Creates, changes, or deletes the volume label of a disk. MD Creates a directory. MKDIR Creates a directory. MKLINK Creates Symbolic Links and Hard Links MODE Configures a system device. MORE Displays output one screen at a time. MOVE Moves one or more files from one directory to another directory. OPENFILES Displays files opened by remote users for a file share. PATH Displays or sets a search path for executable files. PAUSE Suspends processing of a batch file and displays a message. POPD Restores the previous value of the current directory saved by PUSHD. PRINT Prints a text file. PROMPT Changes the Windows command prompt. PUSHD Saves the current directory then changes it. RD Removes a directory. RECOVER Recovers readable information from a bad or defective disk. REM Records comments (remarks) in batch files or CONFIG.SYS. REN Renames a file or files. RENAME Renames a file or files. REPLACE Replaces files. RMDIR Removes a directory. ROBOCOPY Advanced utility to copy files and directory trees SET Displays, sets, or removes Windows environment variables. SETLOCAL Begins localization of environment changes in a batch file. SC Displays or configures services (background processes). SCHTASKS Schedules commands and programs to run on a computer. SHIFT Shifts the position of replaceable parameters in batch files. SHUTDOWN Allows proper local or remote shutdown of machine. SORT Sorts input. START Starts a separate window to run a specified program or command. SUBST Associates a path with a drive letter. SYSTEMINFO Displays machine specific properties and configuration. TASKLIST Displays all currently running tasks including services. TASKKILL Kill or stop a running process or application. TIME Displays or sets the system time. TITLE Sets the window title for a CMD.EXE session. TREE Graphically displays the directory structure of a drive or path. TYPE Displays the contents of a text file. VER Displays the Windows version. VERIFY Tells Windows whether to verify that your files are written correctly to a disk. VOL Displays a disk volume label and serial number. XCOPY Copies files and directory trees. WMIC Displays WMI information inside interactive command shell. For more information on tools see the command-line reference in the online help. C:\Users\Qftm>

接着对终端（内置|外置）命令进行测试，测试终端cmd.exe：

测试：whoami指令

先对whoami指令进行类型探测与指令定位查询

# 类型探测：外部调用指令 # 定位查询：系统可执行程序 C:\Users\Qftm>where whoami C:\Windows\System32\whoami.exe C:\Users\Qftm>

然后，在cmd终端写入For循环执行whoami指令查看是否为内部执行或外部调用

C:\Users\Qftm>for /l %i in (1,1,1000000) do whoami

另一侧，打开任务管理进行cmd终端的监控，可发现whoami指令并非cmd.exe终端内置封装的指令

php代码执行原理,php代码运行的方法(5)

测试：echo指令

同样，对echo指令进行类型探测与指令定位查询

# 类型探测：内部调用指令 # 定位查询：非系统可执行程序 C:\Users\Qftm>where echo D:\QSoftware\W3Server\phpstudy2019\Extensions\MySQL5.7.26\bin\echo.exe C:\Users\Qftm>

然后，在cmd终端写入For循环执行echo指令查看是否为内部执行或外部调用

for /l %i in (1,1,1000000) do echo 1

另一侧，打开任务管理进行cmd终端的监控，可以发现echo指令为终端内置封装的指令，并未出现外部调用

php代码执行原理,php代码运行的方法(6)

语言差异

针对命令执行函数，底层实现上是否存在命令执行程序 cmd.exe、/bin/sh、/bin/bash 等，去执行命令执行函数传入的参数【系统命令】。这个过程相当于底层是否引入第三方可执行终端去执行相应命令。

比如：可执行函数(系统命令)

CommandExecFunc(echo 111 > shell.txt); //echo是一个可执行程序

上述命令执行函数模型在【Linux平台/windows平台】不同语言下面执行效果不同。

PHP

PHP - 底层调用系统终端，执行命令 Mode => Window：cmd.exe /c Command || Linux：sh -c Command

在PHP语言里面，针对Linux平台，系统命令echo 111 > shell.txt传入CommandExecFunc函数，最终在底层相当于执行/bin/sh -c echo 111 > shell.txt。成功创建文件shell.txt【执行过程相当于：在/bin/sh终端下执行命令echo 111，并将echo结果通过重定向符写入文件shell.txt中。这里的重定向符不是echo中的参数或字符串，而是在/bin/sh下面起特殊作用。这里的echo并不是可执行程序/bin/echo，而是/bin/sh执行终端中的内建命令】【进程相关：一个进程/bin/sh，在/bin/sh进程中执行系统命令，而不是执行系统程序】

跟踪一下程序执行流程：For Linux

利用strace程序执行监视可知，底层通过execve系统调用来启动相关进程、然后通过/bin/sh进程来执行相关指令（此处echo为sh内置指令）。

┌──(roottoor)-[~/桌面/CodeDebug/php] └─# strace -f -e execve php -r "system('echo 111 > shell.txt');" execve("/usr/bin/php", ["php", "-r", "system('echo 111 > shell.txt');"], 0x7ffd51277198 /* 53 vars */) = 0 strace: Process 3436 attached [pid 3436] execve("/bin/sh", ["sh", "-c", "echo 111 > shell.txt"], 0x562c96ef1eb0 /* 53 vars */) = 0 [pid 3436] exited with 0 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3436, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- exited with 0 ┌──(roottoor)-[~/桌面/CodeDebug/php] └─# ls shell.txt ┌──(roottoor)-[~/桌面/CodeDebug/php] └─#

同理，针对Windows平台：系统命令echo 111 > shell.txt传入CommandExecFunc函数，最终在底层相当于执行cmd.exe /c echo 111 > shell.txt。成功创建文件shell.txt【执行过程相当于：在cmd终端下执行命令echo 111，并将echo结果通过重定向符写入文件shell.txt中。【进程相关：一个进程cmd.exe，在cmd.exe进程中执行系统命令，而不是执行系统程序】