Best way to sanitize exec command with user inserted variables Best way to sanitize exec command with user inserted variables php php

Best way to sanitize exec command with user inserted variables


Use the function that PHP has for this purpose:

$cmd =      "/usr/bin/do-something " .      escapeshellarg($arg1) .      ' ' .      escapeshellarg($arg2);

You can also use escapeshellcmd()

What's the difference?

escapeshellarg() ONLY adds ' around the string and then \ before any other ' characters.http://www.php.net/escapeshellarg

escapeshellcmd() escapes all shell-sensitive characters ($, \, etc..) but does not add quotes.http://www.php.net/manual/en/function.escapeshellcmd.php

The gotcha is in the case that you use escapeshellarg() as PART OF A QUOTED parameter. Then it is rendered useless (actually adding quotes to the mix).

Generally speaking, we prefer to use escapeshellcmd() with our own quotes added.

$cmd =     "/usr/bin/do-something '" .     escapeshellcmd($arg1) .     "' '" .     escapeshellcmd($arg2) .     "'";

Be safe!