Best way to sanitize exec command with user inserted variables

Use the function that PHP has for this purpose:

$cmd =      "/usr/bin/do-something " .      escapeshellarg($arg1) .      ' ' .      escapeshellarg($arg2);

You can also use escapeshellcmd()

What's the difference?

escapeshellarg() ONLY adds ' around the string and then \ before any other ' characters.http://www.php.net/escapeshellarg

escapeshellcmd() escapes all shell-sensitive characters ($, \, etc..) but does not add quotes.http://www.php.net/manual/en/function.escapeshellcmd.php

The gotcha is in the case that you use escapeshellarg() as PART OF A QUOTED parameter. Then it is rendered useless (actually adding quotes to the mix).

Generally speaking, we prefer to use escapeshellcmd() with our own quotes added.

$cmd =     "/usr/bin/do-something '" .     escapeshellcmd($arg1) .     "' '" .     escapeshellcmd($arg2) .     "'";

Be safe!

CodeHunter

Best way to sanitize exec command with user inserted variables

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last