November 2002
Intermediate to advanced
640 pages
16h 33m
English
Content preview from PHP CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
18.20. Escaping Shell Metacharacters
Problem
You need to incorporate external data in a command line, but you want to escape out special characters so nothing unexpected happens; for example, you want to pass user input as an argument to a program.
Solution
Use escapeshellarg( )
to handle arguments:
system('ls -al '.escapeshellarg($directory));Use escapeshellcmd( ) to handle program names:
system(escapeshellcmd($ls_program).' -al');
Discussion
The command line is a dangerous place for unescaped characters. Never pass unmodified user input to one of PHP’s shell-execution functions. Always escape the appropriate characters in the command and the arguments. This is crucial. It is unusual to execute command lines that are coming from web forms and not something we recommend lightly. However, sometimes you need to run an external program, so escaping commands and arguments is useful.
escapeshellarg( ) surrounds arguments with
single quotes (and
escapes any existing single quotes). To print the process status for
a particular process:
system('/bin/ps '.escapeshellarg($process_id));Using escapeshellarg( ) ensures that the right
process is displayed even if it has an unexpected character (e.g., a
space) in it. It also prevents unintended commands from being run. If
$process_id contains:
1; rm -rf /
then:
system("/bin/ps $process_id")not only displays the status of process 1, but it also executes the command rm -rf / . However:
system('/bin/ps '.escapeshellarg($process_id))runs the command ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.