Is shell_exec() disabled?

Website URL

Error Message

I turned error messages on in “Alter PHP Directives,” still no messages.

Other Information

This is a custom script I made which uses shell_exec() to run cURL on the server. The problem is either cURL isn’t installed or that shell_exec() has been disabled. Which of these is causing my problem?

I also tested it on localhost with a default PHP install.

<!DOCTYPE html>
<html lang="en" style="width: 100%; height: 100%;">

        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta http-equiv="X-UA-Compatible" content="ie=edge">
        <title>Scarlet Installer</title>

<body style="width: 100%; height: 100%; margin: 0;">
        <div style="display: flex; align-items: center; justify-content: center; width: 100%; height: 100%;">
                <a href="<?php
                                $res = shell_exec('curl -s -D - --referer -o /dev/null');
                                preg_match("/(?<=Location: ).*/i", $res, $matches);
                                echo $matches[0]; ?>" style="font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; text-decoration: none; color: white; background: black; border: 1em solid black; border-radius: 0.7em; text-align: center;">Install</a>


Use the PHP’s curl API instead? You cannot execute commands here hence why that function is disabled.


Hi erttrk,

shell_exec is one of the functions disabled on free hosting accounts. You should avoid executing commands in webpages for best practise.

Here’s a compiled list for all functions of this nature and workarounds if appliable.

For your code, I suggest:

  1. Moving redirection logics before outputing any HTML
  2. Convert the curl command to use PHP native curl functions (those are allowed)



Thank you for your help! Could you link any resources for compiling php with curl apis?

Hi erttrk.

PHP already comes with curl functions, you can use those to communciate with your APIs.



Also I’m not redirecting the user anyway. All the script does is process the value of the location header from a cURL command with some regex.

Hi erttrk,

If you need to redirect users, use this code:

header(sprintf('location: %s', $your_location));

You need not output anything in this case as they’ll be redirected right away.

I can’t, I tested it, but it requires the user to accept another popup as the user agent doesn’t consider it a trusted event, maybe there is a fix for this?

What is the thing that you’re trying to achieve when the user lands on your page? To redirect them to a secured download link of a file?

No, I’m getting the dynamic, always changing URL from a site that requires a specific Referer to acess said resource and then put a button with a link to said url.

It goes like this:

user visits my site, my site runs curl request to other site, does regex on it, sends back to client in a nicely formatted page with an install button.

Just a test here, you do need to compile PHP with cURL functionality.

PHP docs says that you need to do that:

Hi erttrk,

That’s on your localhost, you need to find a stock PHP version, this is definitely not the normal PHP to begin with.


It is, atleast on Windows, PHP For Windows: Binaries and sources Releases.
I got apache from the official website windows builds, can’t remember the link.
I followed this guide How to Install PHP on Apache in Windows? - GeeksforGeeks

If you’re running Windows, try WAMP instead.

For intro info:

For the software files:


Bloated af.

I’m gonna install php in WSL and test it out again.

Depending on what you identify as bloat, you can choose to use only the things you need. If you consider the UI as bloat then…

Not sure if you can get the exact same PHP experience in WSL as there are differences in running Python afaik.