<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Escape shell metacharacters</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.escapeshellarg.html">escapeshellarg</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.exec.html">exec</a></div> <div class="up"><a href="ref.exec.html">Program execution Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.escapeshellcmd" class="refentry"> <div class="refnamediv"> <h1 class="refname">escapeshellcmd</h1> <p class="verinfo">(PHP 4, PHP 5, PHP 7)</p><p class="refpurpose"><span class="refname">escapeshellcmd</span> — <span class="dc-title">Escape shell metacharacters</span></p> </div> <div class="refsect1 description" id="refsect1-function.escapeshellcmd-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type">string</span> <span class="methodname"><strong>escapeshellcmd</strong></span> ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$command</code></span> )</div> <p class="para rdfs-comment"> <span class="function"><strong>escapeshellcmd()</strong></span> escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the <span class="function"><a href="function.exec.html" class="function">exec()</a></span> or <span class="function"><a href="function.system.html" class="function">system()</a></span> functions, or to the <a href="language.operators.execution.html" class="link">backtick operator</a>. </p> <p class="para"> Following characters are preceded by a backslash: <em>&#;`|*?~<>^()[]{}$\</em>, <em>\x0A</em> and <em>\xFF</em>. <em>'</em> and <em>"</em> are escaped only if they are not paired. In Windows, all these characters plus <em>%</em> and <em>!</em> are replaced by a space instead. </p> </div> <div class="refsect1 parameters" id="refsect1-function.escapeshellcmd-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <code class="parameter">command</code></dt> <dd> <p class="para"> The command that will be escaped. </p> </dd> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-function.escapeshellcmd-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> The escaped string. </p> </div> <div class="refsect1 examples" id="refsect1-function.escapeshellcmd-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-4487"> <p><strong>Example #1 <span class="function"><strong>escapeshellcmd()</strong></span> example</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// We allow arbitrary number of arguments intentionally here.<br /></span><span style="color: #0000BB">$command </span><span style="color: #007700">= </span><span style="color: #DD0000">'./configure '</span><span style="color: #007700">.</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'configure_options'</span><span style="color: #007700">];<br /><br /></span><span style="color: #0000BB">$escaped_command </span><span style="color: #007700">= </span><span style="color: #0000BB">escapeshellcmd</span><span style="color: #007700">(</span><span style="color: #0000BB">$command</span><span style="color: #007700">);<br /> <br /></span><span style="color: #0000BB">system</span><span style="color: #007700">(</span><span style="color: #0000BB">$escaped_command</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> </p> </div> <div class="refsect1 notes" id="refsect1-function.escapeshellcmd-notes"> <div class="warning"><strong class="warning">Warning</strong> <p class="para"> <span class="function"><strong>escapeshellcmd()</strong></span> should be used on the whole command string, and it still allows the attacker to pass arbitrary number of arguments. For escaping a single argument <span class="function"><a href="function.escapeshellarg.html" class="function">escapeshellarg()</a></span> should be used instead. </p> </div> </div> <div class="refsect1 changelog" id="refsect1-function.escapeshellcmd-changelog"> <h3 class="title">Changelog</h3> <p class="para"> <table class="doctable informaltable"> <thead> <tr> <th>Version</th> <th>Description</th> </tr> </thead> <tbody class="tbody"> <tr> <td>5.4.43, 5.5.27, 5.6.11</td> <td> Exclamation marks are replaced by spaces. </td> </tr> </tbody> </table> </p> </div> <div class="refsect1 seealso" id="refsect1-function.escapeshellcmd-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"><span class="function"><a href="function.escapeshellarg.html" class="function" rel="rdfs-seeAlso">escapeshellarg()</a> - Escape a string to be used as a shell argument</span></li> <li class="member"><span class="function"><a href="function.exec.html" class="function" rel="rdfs-seeAlso">exec()</a> - Execute an external program</span></li> <li class="member"><span class="function"><a href="function.popen.html" class="function" rel="rdfs-seeAlso">popen()</a> - Opens process file pointer</span></li> <li class="member"><span class="function"><a href="function.system.html" class="function" rel="rdfs-seeAlso">system()</a> - Execute an external program and display the output</span></li> <li class="member"><a href="language.operators.execution.html" class="link">backtick operator</a></li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.escapeshellarg.html">escapeshellarg</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.exec.html">exec</a></div> <div class="up"><a href="ref.exec.html">Program execution Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>