O'Reilly logo

Programming PHP, 3rd Edition by Peter MacIntyre, Kevin Tatroe, Rasmus Lerdorf

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Shell Commands

Be very wary of using the exec(), system(), passthru(), and popen() functions and the backtick (`) operator in your code. The shell is a problem because it recognizes special characters (e.g., semicolons to separate commands). For example, suppose your script contains this line:

system("ls {$directory}");

If the user passes the value "/tmp;cat /etc/passwd" as the $directory parameter, your password file is displayed because system() executes the following command:

ls /tmp;cat /etc/passwd

In cases where you must pass user-supplied arguments to a shell command, use escapeshellarg() on the string to escape any sequences that have special meaning to shells:

$cleanedArg = escapeshellarg($directory);
system("ls {$cleanedArg}");

Now, if the user passes "/tmp;cat /etc/passwd", the command that’s actually run is:

ls '/tmp;cat /etc/passwd'

The easiest way to avoid the shell is to do the work of whatever program you’re trying to call in PHP code, rather than calling out to the shell. Built-in functions are likely to be more secure than anything involving the shell.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required