Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : Program Execution Functions : escapeshellarg

escapeshellarg

Escape a string to be used as a shell argument (PHP 4 >= 4.0.3, PHP 5)
string escapeshellarg ( string arg )

Example 2010. escapeshellarg() example

<?php
system
('ls '.escapeshellarg($dir));
?>

Code Examples / Notes » escapeshellarg

egorinsk

Under Windows, this function puts string into double-quotes, not single, and replaces %(percent sign) with a space, that's why it's impossible to pass a filename with percents in its name through this function.

jbriggs

This function returns nothing when called with an empty argument.
escapeshellarg("b'lah") returns 'b'\''lah'
but escapeshellarg("") returns ""


phpnet

This function does not escape $ it seems. This lets user embed shell variables such as $PATH into commands, which you may or may not want to allow.  I'm using shell_exec() because I need the entire command as one string, and need access to the stdout data as one string as well.

antony lesuisse

NOTE: If you are using PHP >= 4.2 you should use the pcntl_* (Process
Control) functions instead of this hack.
PHP, before version 4.2, didn't provide any execl(3)-like or
execv(3)-like methods to invoke external programs, thus everything
goes trough /bin/sh -c and we are forced to quote arguments.
To make it worse escapeshellarg() behaves badly (IMHO) with an empty
string:
<?php
   echo "mime-construct --to ".escapeshellarg($to)." --cc a@a.com";
?>
The following function is a wrapper to system(), and it can be adapted
to popen(),exec(),shell_exec():
<?php
   # system with perl? semantics
   function lib_system() {
       $arg=func_get_args();
       if(is_array($arg[0]))
           $arg=$arg[0];
       $cmd=array_shift($arg);
       foreach($arg as $i) {
           $cmd.=" ''".escapeshellarg($i);;
       }
       system($cmd);
   }
   # example1
   lib_system("mime-construct","--output", "--to",$a,"--string",$b);
   # example2
   lib_system(array("mime-construct","--output", "--to",$a,"--string",$b));
?>


22-may-2006 01:25

Most of the comments above have misunderstood this function. It does not need to escape characters such as '$' and '`' - it uses the fact that the shell does not treat any characters as special inside single quotes (except the single quote character itself). The correct way to use this function is to call it on a variable that is intended to be passed to a command-line program as a single argument to that program - you do not call it on command-line as a whole.
The person above who comments that this function behaves badly if given the empty string as input is correct - this is a bug. It should indeed return two single quotes in this case.


ludvig dot ericson

It seems from my tests that escapeshellarg("`ls -al`") is _NOT_ escaped into \`ls -al\` as it should be.
Anyway, a bash/sh environment does not seem to interprett ` inside of a singleqoute (').
$ echo "`echo hello`"
hello
$ echo '`echo hello`'
`echo hello`
$ echo "\`echo hello\`"
`echo hello`
Just a tip.


php

In reply to vosechu at roman-fleuve dot com: Even if it's two "'s or two ''s, this function wouldn't work the way it's supposed to (that is, returning nothing). However, most people do not put "" into their commands...
When many commands are executed, the order of the parameters is of critical importance, especially with shell scripts where $1, $2, $3, etc. are commonly used without checking what is stored in them first.  In such cases, having this function not return even an empty parameter will break things.
As was mentioned earlier, putting two single quotes '' before the output of this function will remedy this issue, as the '' in itself will not add any characters to that command line parameter, but it will turn it into a placeholder for that parameter when the value is empty.


vosechu

If escapeshellarg() returned something on a null input it would probably break more programs than it helps. Even if it's two "'s or two ''s, this function wouldn't work the way it's supposed to (that is, returning nothing).
However, most people do not put "" into their commands but I can see where it might be useful at the same time.
Perhaps an option in the command that would return the type of null we want. I might want the null character to be returned, someone else might want '', and someone else might want nothing at all.


php

i also thought the output was gonna be between 's because that's the way windows handles arguments with spaces in them. i think we have a unix <> windows misunderstanding here...

18-may-2005 07:37

According to my test (PHP 4.3.10) there is no need to call escapeshellarg() on a filename that is being written to by proc_open, and probably others. E.g.
<?php
$process = proc_open("echo hi",
                              array(
                                 0 => array("pipe", "r"),
                                 1 => array("file", 'filename with spaces', "w"),
                                 2 => array("pipe", "w"),
                              ),
                              $pipes);
?>
creates a file named:
filename with spaces
In fact,
<?php
        1 => array("file", escapeshellarg('filename with spaces')
?>
creates a file named:
'filename with spaces'
(quotes included in filename.) Maybe all the PHP functions that take a filename as a separate parameter work this way. I guess you just need to escape filenames when they are part of a single string command line such as with the backtick operator, system(), etc.


Change Language


Follow Navioo On Twitter
escapeshellarg
escapeshellcmd
exec
passthru
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
shell_exec
system
eXTReMe Tracker