escapeshellarg
(PHP 4 >= 4.0.3)
escapeshellarg -- escape a string to be used as a shell
argument
Description
string escapeshellarg ( string arg)
escapeshellarg() adds single quotes around a string and
quotes/escapes any existing single quotes allowing you to
pass a string directly to a shell function and having it
be treated as a single safe argument. This function should
be used to escape individual arguments to shell functions
coming from user input. The shell functions include exec(),
system() and the backtick operator. A standard use would
be:
<?php
system('ls '.escapeshellarg($dir));
?>
See also escapeshellcmd(), exec(), popen(), system(), and
the backtick operator.
escapeshellcmd
(PHP 3, PHP 4 )
escapeshellcmd -- escape shell metacharacters
Description
string escapeshellcmd ( string command)
escapeshellcmd() escapes any characters in a string that
might be used to trick a shell command into executing arbitrary
commands. This function should be used to make sure that
any data coming from user input is escaped before this data
is passed to the exec() or system() functions, or to the
backtick operator. A standard use would be:
<?php
$e = escapeshellcmd($userinput);
// here we don't care if $e has spaces
system("echo $e");
$f = escapeshellcmd($filename);
// and here we do, so we use quotes
system("touch \"/tmp/$f\"; ls -l \"/tmp/$f\"");
?>
See also escapeshellarg(), exec(), popen(), system(), and
the backtick operator.
