search for in the  
<Program Executionescapeshellcmd>
Last updated: Thu, 19 May 2005

escapeshellarg

(PHP 4 >= 4.0.3, PHP 5)

escapeshellarg -- Escape a string to be used as a shell argument

Description

string escapeshellarg ( string arg )

escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input. The shell functions include exec(), system() and the backtick operator.

Parameters

arg

The argument that will be escaped.

Return Values

The escaped string.

Examples

Example 1. escapeshellarg() example

<?php
system('ls '.escapeshellarg($dir));
?>

See Also

escapeshellcmd()
exec()
popen()
system()
backtick operator



User Contributed Notes
escapeshellarg
18-May-2005 01:37
According to my test (PHP 4.3.10) there is no need to call escapeshellarg() on a filename that is being written to by proc_open, and probably others. E.g.
<?php
$process = proc_open("echo hi",
                               array(
                                 0 => array("pipe", "r"),
                                 1 => array("file", 'filename with spaces', "w"),
                                 2 => array("pipe", "w"),
                               ),
                               $pipes);
?>
creates a file named:

filename with spaces

In fact,
<?php
         1 => array("file", escapeshellarg('filename with spaces')
?>
creates a file named:

'filename with spaces'

(quotes included in filename.) Maybe all the PHP functions that take a filename as a separate parameter work this way. I guess you just need to escape filenames when they are part of a single string command line such as with the backtick operator, system(), etc.
antony lesuisse
22-Apr-2004 10:30
NOTE: If you are using PHP >= 4.2 you should use the pcntl_* (Process
Control) functions instead of this hack.

PHP, before version 4.2, didn't provide any execl(3)-like or
execv(3)-like methods to invoke external programs, thus everything
goes trough /bin/sh -c and we are forced to quote arguments.

To make it worse escapeshellarg() behaves badly (IMHO) with an empty
string:
<?php
   echo "mime-construct --to ".escapeshellarg($to)." --cc a@a.com";
?>

The following function is a wrapper to system(), and it can be adapted
to popen(),exec(),shell_exec():

<?php
   # system with perl? semantics
   function lib_system() {
       $arg=func_get_args();
       if(is_array($arg[0]))
           $arg=$arg[0];
       $cmd=array_shift($arg);
       foreach($arg as $i) {
           $cmd.=" ''".escapeshellarg($i);;
       }
       system($cmd);
   }
   # example1
   lib_system("mime-construct","--output", "--to",$a,"--string",$b);
   # example2
   lib_system(array("mime-construct","--output", "--to",$a,"--string",$b));
?>
vosechu at roman-fleuve dot com
25-Mar-2004 07:05
If escapeshellarg() returned something on a null input it would probably break more programs than it helps. Even if it's two "'s or two ''s, this function wouldn't work the way it's supposed to (that is, returning nothing).

However, most people do not put "" into their commands but I can see where it might be useful at the same time.
Perhaps an option in the command that would return the type of null we want. I might want the null character to be returned, someone else might want '', and someone else might want nothing at all.
php at floris dot nu
26-Mar-2003 09:27
i also thought the output was gonna be between 's because that's the way windows handles arguments with spaces in them. i think we have a unix <> windows misunderstanding here...
jbriggs at esoft dot com
04-Jan-2002 02:57
This function returns nothing when called with an empty argument.

escapeshellarg("b'lah") returns 'b'\''lah'
but escapeshellarg("") returns ""

<Program Executionescapeshellcmd>
 Last updated: Thu, 19 May 2005
Copyright © 2001-2005 The PHP Group
All rights reserved.		 This unofficial mirror is operated at: The Server Pages
Last updated: Thu May 19 17:35:34 2005 CDT