Security News
Crates.io Implements Trusted Publishing Support
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
By Sarah Gooding - Jul 16, 2025
You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP →
node-php-runner
This module allows you to run PHP code in Node.js in various ways:
- Run PHP scripts.
- Run PHP scripts and pass them JSON data from Node.js.
- Use PHP as a view engine (templating system) for Express framework applications.
To use this module, you must have PHP installed and in your PATH.
This module was built and is maintained by the Roosevelt web framework team, but it can be used independently of Roosevelt as well.
Run a PHP script in Node.js
const php = require('php')
const output = await php.run('some_php_script.php')
Run a PHP script in Node.js and pass it data
const php = require('php')
const output = await php.runWithData('some_php_script.php', { hello: 'world' })
Then, assuming your some_php_script.php file looks like this:
<p><?=$hello?></p>
The output will be:
<p>world</p>
Use with Express
const express = require('express')
const app = express()
const php = require('php')
// setup PHP templating engine
app.set('views', path.join(__dirname, 'templates'))
app.set('view engine', 'php') // set PHP as a view engine in your Express app
app.engine('php', php.__express)
// define a route
app.get('/', (req, res) => {
res.render('index.php', {
hello: 'world'
})
})
Then, assuming your templates/index.php looks like this:
<p><?=$hello?></p>
The output will be:
<p>world</p>
Configuration
As shown in the above examples, this module will register values from the data model you pass to the PHP script as global variables in your PHP script by default when you use PHP as an Express view engine or when you call runWithData. You can disable this behavior if desired in the following ways:
Disable registering globally:
const php = require('php')
php.disableRegisterGlobalModel()
// can be reenabled by calling php.enableRegisterGlobalModel()
Disable registering on a per render basis in Express:
app.get('/', (req, res) => {
res.render('index.php', {
_REGISTER_GLOBAL_MODEL: false,
hello: 'world'
})
})
Disable registering on a per render basis in runWithData (though if you're doing this, you probably should just use php.run() instead, as that method was written to use simpler logic that doesn't support passing data to PHP):
const output = await php.runWithData('some_php_script.php', {
_REGISTER_GLOBAL_MODEL: false,
hello: 'world'
})
1.1.0
- Added
runandrunWithDatamethods so this module can be used as a general purpose PHP runner. - Updated various dependencies.
Keywords
FAQs
Allows you to run PHP code in Node.js in various ways.
The npm package php receives a total of 0 weekly downloads. As such, php popularity was classified as not popular.
We found that php demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Package last updated on 15 Jun 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users
Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.
By Olivia Brown - Jul 15, 2025
Research
/Security News
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.
By Kirill Boychenko - Jul 14, 2025