<HTML ><HEAD ><TITLE >escapeshellcmd</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="PHP Manual" HREF="index.html"><LINK REL="UP" TITLE="Program Execution functions" HREF="ref.exec.html"><LINK REL="PREVIOUS" TITLE="escapeshellarg" HREF="function.escapeshellarg.html"><LINK REL="NEXT" TITLE="exec" HREF="function.exec.html"><META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=ISO-8859-1"></HEAD ><BODY CLASS="refentry" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >PHP Manual</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="function.escapeshellarg.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="function.exec.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><H1 ><A NAME="function.escapeshellcmd" ></A >escapeshellcmd</H1 ><DIV CLASS="refnamediv" ><A NAME="AEN78735" ></A ><P > (PHP 3, PHP 4 )</P >escapeshellcmd -- escape shell metacharacters</DIV ><DIV CLASS="refsect1" ><A NAME="AEN78738" ></A ><H2 >Description</H2 >string <B CLASS="methodname" >escapeshellcmd</B > ( string command)<BR ></BR ><P > <B CLASS="function" >escapeshellcmd()</B > escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the <A HREF="function.exec.html" ><B CLASS="function" >exec()</B ></A > or <A HREF="function.system.html" ><B CLASS="function" >system()</B ></A > functions, or to the <A HREF="language.operators.execution.html" >backtick operator</A >. A standard use would be:</P ><P > <DIV CLASS="informalexample" ><A NAME="AEN78752" ></A ><P ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><PRE CLASS="php" >$e = escapeshellcmd($userinput); system("echo $e"); // here we don't care if $e has spaces $f = escapeshellcmd($filename); system("touch \"/tmp/$f\"; ls -l \"/tmp/$f\""); // and here we do, so we use quotes</PRE ></TD ></TR ></TABLE ><P ></P ></DIV > </P ><P > See also <A HREF="function.escapeshellarg.html" ><B CLASS="function" >escapeshellarg()</B ></A >, <A HREF="function.exec.html" ><B CLASS="function" >exec()</B ></A >, <A HREF="function.popen.html" ><B CLASS="function" >popen()</B ></A >, <A HREF="function.system.html" ><B CLASS="function" >system()</B ></A >, and the <A HREF="language.operators.execution.html" >backtick operator</A >. </P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="function.escapeshellarg.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="function.exec.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >escapeshellarg</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="ref.exec.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >exec</TD ></TR ></TABLE ></DIV ></BODY ></HTML >