18.21. Escaping Shell Metacharacters
You need to incorporate external data in a command line, but you want to escape out special characters so nothing unexpected happens; for example, you want to pass user input as an argument to a program.
system('ls -al '.escapeshellarg($directory));
Use escapeshellcmd( ) to handle program names:
The command line is a dangerous place for unescaped characters. Never pass unmodified user input to one of PHP's shell-execution functions. Always escape the appropriate characters in the command and the arguments. This is crucial. It is unusual to execute command lines that are coming from web forms and not something we recommend lightly. However, sometimes you need to run an external program, so escaping commands and arguments is useful.
Using escapeshellarg( ) ensures that the right process is displayed even if it has an unexpected character (e.g., a space) in it. It also prevents unintended commands from being run. If $process_id contains:
1; rm -rf /
runs the command /bin/ps 1; rm -rf, which produces an error because "1-semicolon-space-rm-space-hyphen-rf" isn't a valid process ID.
Similarly, escapeshellcmd( ) prevents unintended command lines from execution. This code runs a different program depending on the value of $which_program:
For example, if $which_program is pdf 12, the script runs /usr/local/bin/formatter-pdf with an argument of 12. But, if $which_program is pdf 12; 56, the script runs /usr/local/bin/formatter-pdf with an argument of 12, but then also runs the program 56, which is an error. To successfully pass the arguments to formatter-pdf, you need escapeshellcmd( ):
This runs /usr/local/bin/formatter-pdf and passes it two arguments: 12 and 56.
18.21.4. See Also
Copyright © 2003 O'Reilly & Associates. All rights reserved.