>PHP: escapeshellcmd

escapeshellcmd

(PHP 3, PHP 4, PHP 5)

escapeshellcmd -- Escapar meta-caracteres del intÃ©rprete de comandos

DescripciÃ³n

string escapeshellcmd ( string comando )

escapeshellcmd() escapa cualquier caracter en una cadena que pueda ser usado para engaÃ±ar a un comando de shell a que ejecute comandos arbitrarios. Esta funciÃ³n puede ser usada para asegurarse de que cualquier dato viniendo de la entrada del usuario sea escapado antes de que este dato sea pasado a las funciones exec() o system(), o al operador de comilla invertida.

Los siguientes caracteres son precedidos por una barra invertida: #&;`|*?~<>^()[]{}$\, \x0A y \xFF. ' y " son escapados Ãºnicamente si no estÃ¡n emparejados. En Windows, todos estos caracteres mas % son reemplazados por un espacio en su lugar.

Lista de parÃ¡metros

comando: El comando a ser escapado.

Valores retornados

La cadena escapada.

Ejemplos

Ejemplo 1. Ejemplo de escapeshellcmd()

<?php $e = escapeshellcmd($entrada_usuario); // aqui no nos importa si $e tiene espacios system("echo $e"); $f = escapeshellcmd($nombre_archivo); // y aqui si, asi que usamos comillas system("touch \"/tmp/$f\"; ls -l \"/tmp/$f\""); ?>

add a note User Contributed Notes
escapeshellcmd

abennett at clarku dot edu
05-Jul-2006 11:59


I've got a php script that needs to pass a username and password via exec to a perl script.  The problem is valid password characters were getting escaped...



Here's a little perl function I wrote to fix it.



sub unescape_string {

      my $string = shift;

      # all these interpolated regex's are slow, so if there's no

      # backslash in the string don't bother with it

      # index() is faster then a regex

      if ( ! index($string,'\\\\') ) {

         return $string;

      }

      my @characters = ('#', '&', ';', '`', '|', '*', '?', '~', '<', '>', '^', '(', ')',

                        '[', ']', '{', '}', '$', '\\', ',', ' ', '\x0A', '\xFF' );

      my $character;

      foreach $character (@characters) {

         $character = quotemeta($character);

         my $pattern = "\\\\(" . $character . ")";

         $string =~ s/$pattern/$1/g;

      }

      return $string;

}



Hope this is useful.

ceejay at trashfactory dot de
15-Mar-2006 04:43


Well guys, i find it very hard that escapeshellarg and escapeshellcmd are forcely run when passing a command to exec, system or popen, when safe_mode is turned on.



Right now, i did not find any working solution to pass commands like this:

cmd -arg1 -arg2 "<BLA varname=\"varvalue\" varname1=\"varvalue1\" />"



it is just the case, that the parameter for arg2 which is a string that looks like an HTML-Tag with various attributes set, all attributes of the string in arg2 gets splitted by the whitespaces within. this wont happen with safe_mode turned off, so it must be one of the escapefunctions, that breaks functionality. 



In order to circumvent this, i have made a temporary solution, which dynamically creates a skriptfile (by fopen), which just contains the whole command with arguments, and then execute that skriptfile. i dont like that solution, but in the other hand, safe_mode cannot be easily turned off on that server.

cast3r
13-Sep-2005 05:31


"normal any user on linux can view almost any directory so:

ls / -als will print a complete list of any file in the linux filesystem including its size, security and hidden files as well."

ls / -alsR is the whole filesystem.

docey
12-Apr-2005 05:56


the main reason for quoting a command is that it not multiple  command can be joined. i don't know for sure if this is the right syntax but remeber that this can do some nice security breaks. here's one way of how to know exactly what your trying to break into for.



normal any user on linux can view almost any directory so:

ls / -als will print a complete list of any file in the linux filesystem including its size, security and hidden files as well.



now the output would only become known to php and never will the user be able to view this data unless the php script would actual start to print it out. like passtru does!! but a good php coder knows never to use passtru unless not otherwise possible. 



but what would happen if you can direct the output from ls also from that same commandline to a file in the webroot most webserver still default their base-webroot to /var/www/ so storing it there in text file to download it later and you can simply take coffee while checking wich files can be read by php security mode and then simply use the cp command to copy those to the webroot and download them to your own hard-disk. without a list of the files you can only guess where to copy from! and thats harder then guessing the root password. 



so if the first command was quoted it is not possible to attach another command because of a syntax error. think of all the thinks you can do once you got a complete list of every file on the filesystem. including mounted once via NFS and others. security starts at keeping the door hidden.



also another nice command for hanging the webserver can be "php <?php while(true){ exec('ls / -als'); }; ?>" this keeps creating a file list on the entire filesystem wich not only keeps the hard-disk(s) bussy but also memory and cpu   wich must store the returned list. so keeping in mind not all command accepted from users can be used blind. 



actualy never accept any command from external sources only proven built-in predefined commands should be executed.

trisk at earthling dot net
31-Jan-2005 10:19


This function does not work as shown in the php.net examples.



If you put your encoded filename into double-quotes as they suggest, then it will break on certain characters in filenames, such as ampersand.



For example if you have a filename called "foo & bar.jpg" and you use this function on it, your resulting filename when double-quoted will produce this and not be found:



"foo \& bar.jpg"



If you need to have a single argument where spaces are included then do not use this function with added double-quotes, use escapeshellarg() which encloses the whole string in single quotes.



I do not understand which purpose this particular function is intended for.  I can't see any use for it, unless you pass it through another function and convert spaces " " to "\ ", which would allow you to use the string directly on the command line.

add a note

MANUAL DE PHP

windsurf mercedes camper

escapeshellcmd

DescripciÃ³n

Lista de parÃ¡metros

Valores retornados

Ejemplos

Ver tambiÃ©n