Best way to sanitize exec command with user inserted variables
Use the function that PHP has for this purpose:
$cmd = "/usr/bin/do-something " . escapeshellarg($arg1) . ' ' . escapeshellarg($arg2);
You can also use escapeshellcmd()
What's the difference?
escapeshellarg()
ONLY adds ' around the string and then \ before any other ' characters.http://www.php.net/escapeshellarg
escapeshellcmd()
escapes all shell-sensitive characters ($, \, etc..) but does not add quotes.http://www.php.net/manual/en/function.escapeshellcmd.php
The gotcha is in the case that you use escapeshellarg()
as PART OF A QUOTED parameter. Then it is rendered useless (actually adding quotes to the mix).
Generally speaking, we prefer to use escapeshellcmd()
with our own quotes added.
$cmd = "/usr/bin/do-something '" . escapeshellcmd($arg1) . "' '" . escapeshellcmd($arg2) . "'";
Be safe!