PHP » I/O » escapeshellcmd()

string escapeshellcmd(string command)
The command string to be escaped.

Escapes user supplied commands.

It can be risky to pass user supplied data to the external execution functions such as exec() and system(). If it has to be done, it is a good idea to first use escapeshellcmd() on the data. It escapes potentially dangerous characters in the string, which lessens the possibilities for the user to pass malicious data to a shell. The function returns a string where selected characters have been escaped. These characters include, among others, semicolons, dollar signs, wildcards, pipes, redirections, parentheses, quotes, brackets, braces, and line feeds.



$usrcmd = 'ls -la ; rm -rf $HOME/*';
print escapeshellcmd($usrcmd);

ls -la \; rm -rf \$HOME/\*

$usrcmd simulates a user supplied command line where a harmless command is followed by a malicious attempt to delete data. The escapeshellcmd() call escapes the semicolon so that it does not work, the dollar sign is escaped so that the environment variable is not fetched, and the wildcard is escaped so that it is not expanded.

See Also: