php – Securing user input with escapeshellarg()-ThrowExceptions

Exception or error:

I need to use some user inputs with some shell_exec and exec commands. I know this can be a large security risk so I want to make sure I’m doing it right.

My original commands look like:

shell_exec('php getText.php "' . $_GET['title'] . '"');

exec('php importImages.php --comment="' . $_GET['comment'] . '"');

Is wrapping the user inputs with escapeshellarg the way I can secure this vulnerability? Will there be any issues with using it? Or anything else I should be concerned about?

shell_exec('php getText.php "' . escapeshellarg($_GET['title']) . '"');

exec('php importImages.php --comment="' . escapeshellarg($_GET['comment']) . '"');
How to solve:

escapeshellarg() will quote and escape your values for you.

var_dump(escapeshellarg('foo'));
// output: string(5) "'foo'"

So your code should look like this:

shell_exec('php getText.php ' . escapeshellarg($_GET['title']));
exec('php importImages.php --comment=' . escapeshellarg($_GET['comment']));

Leave a Reply

Your email address will not be published. Required fields are marked *