escapeshellcmd

Escape shell metacharacters

string **escapeshellcmd** string $command

escapes any characters in a

string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the or functions, or to the . escapeshellcmd``exec``systembacktick operator

Following characters are preceded by a backslash: , and . and are escaped only if they are not paired. On Windows, all these characters plus and are preceded by a caret (). &#;|*?~<>^()[]{}$``\x0A\xFF'"%!^`

commandThe command that will be escaped.

The escaped string.

Voorbeeld: example

<?php
// We allow arbitrary number of arguments intentionally here.
$command = './configure '.$_POST['configure_options'];

$escaped_command = escapeshellcmd($command);
 
system($escaped_command);
?>

Waarschuwing: > should be used on the whole command string, and it still allows the attacker to pass arbitrary number of arguments. For escaping a single argument should be used instead. escapeshellcmd``escapeshellarg

Waarschuwing: > Spaces will not be escaped by which can be problematic on Windows with paths like: . This can be mitigated using the following code snippet:
`escapeshellcmd``C:\Program Files\ProgramName\program.exe````php
escapeshellarg``exec``popen``systembacktick operator

Vorige ← escapeshellarg Volgende exec →

escapeshellcmd

escapeshellcmd

Documentatie