InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Escaping Shell Metacharacters in PHP
PHP

Escaping Shell Metacharacters in PHP

InfinityCoder December 26, 2016

You need to incorporate external data in a command line, but you want to escape special characters so nothing unexpected happens; for example, you want to pass user input as an argument to a program.

Use escapeshellarg() to handle arguments and escapeshellcmd() to handle program names:

1
2
system('ls -al '.escapeshellarg($directory));
system(escapeshellcmd($ls_program).' -al');

The command line is a dangerous place for unescaped characters. Never pass unmodified user input to one of PHP’s shell-execution functions.

Always escape the appropriate characters in the command and the arguments. This is crucial.

It is unusual to execute command lines that are coming from web forms and not something we recommend lightly.

However, sometimes you need to run an external program, so escaping commands and arguments is useful.
escapeshellarg() surrounds arguments with single quotes (and escapes any existing single quotes).

This example uses escapeshellarg() in printing the process status for a particular process:

1
system('/bin/ps '.escapeshellarg($process_id));

Using escapeshellarg() ensures that the right process is displayed even if its ID has an unexpected character (e.g., a space) in it.

It also prevents unintended commands from being run. If $process_id contains 1; rm -rf /, then system(“/bin/ps $process_id”) not only displays the status of process 1, but also executes the command rm-rf /.
However, system(‘/bin/ps’.escapeshellarg($process_id)) runs the command /bin/ps 1; rm -rf, which produces an error because 1-semicolon-space-rmspace- hyphen-rf isn’t a valid process ID.
Similarly, escapeshellcmd() prevents unintended command lines from executing.

The command system(“/usr/local/bin/formatter-$which_program”); runs a differentprogram depending on the value of $which_program.
For example, if $which_program is pdf 12, the script runs /usr/local/bin/formatterpdf with an argument of 12.

But if $which_program is pdf 12; 56, the script runs /usr/ local/bin/formatter-pdf with an argument of 12, but then also runs the program 56, which is an error.
To successfully pass the arguments to formatter-pdf, you need escapeshellcmd(): sys tem(escapeshellcmd(“/usr/local/bin/formatter-$which_program”));.
This runs /usr/local/bin/formatter-pdf and passes it two arguments: 12; and 56.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Storing Arbitrary Data in Shared Memory in PHP
You want a chunk of data to be available to …

Storing Arbitrary Data in Shared Memory in PHP

Redirecting to a Different Location in PHP
You want to automatically send a user to a new …

Redirecting to a Different Location in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap