How to escape php exec() command with quotes

php escaping exec exiv2
13,199

Yes, this is a hard problem, because the command is using non-standard shell arguments (like it's own little meta-language). ImageMagick has the same issues.

If you simply use escapeshellarg() within a double-quoted string, it is rendered useless. escapeshellcmd() does escape all special characters, and is safe for use in a double-quoted string. So you need to hard code single quotes around it to make it work right.

exec('/usr/local/bin/exiv2 -M"set Iptc.Application2.Caption String \'' . escapeshellcmd($caption) . '\'" modify IMG.jpg');

The reason escapeshellarg() will not work in a single quoted string is:

# for this input:
The smith's "; rm -rf *; echo "went to town

# after escapeshellarg()
'The smith\'s "; rm -rf *; echo "went to town'

# Works fine if left as a top-level argument
/usr/bin/command 'The smith\'s "; rm -rf *; echo "went to town'

# BUT if put in a double-quoted string:
/usr/bin/command "subcommand1 'The smith\'s "; rm -rf *; echo "went to town'"

# it is broken into 3 shell commands:
/usr/bin/command "something and 'The smith\'s ";
rm -rf *;
echo "went to town'"

# bad day...
Share:
13,199
Liam
Author by

Liam

With over 15 years experience as a Web Developer, I have gained in-depth knowledge of a wide range of web technologies. I have been responsible for the architecture of several key pieces of software for a diverse portfolio of clients, in the Photography, Education, Tourism, and Retail industries. I mostly work with PHP and JavaScript.

Updated on June 05, 2022

Comments

  • Liam
    Liam almost 2 years

    I use the Exiv2 command line tool on Linux to edit image metadata like so:

    exiv2 -M"set Iptc.Application2.Caption String This is my caption....." modify IMG.jpg

    I want to execute this from PHP, using a caption provide by a user. This will work if the user enters no special characters:

    exec('/usr/local/bin/exiv2 -M"set Iptc.Application2.Caption String '.$caption.'" modify IMG.jpg');

    I need to allow the user special characters such as single and double quotes. I would like to use escapeshellcmd() to prevent malicious data. How can I correctly escape the command and the argument so that it works? I have tried many options but I can't get it right.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Escape string with PHP and HTML
Execute external program ( like skype.exe) using php
str_replace double and single quotes
About exec() function in PHP
Run server-side js from php through exec()
PHP exec/shell_exec/system not working through browser
php shell_exec() out put to get a text file
Calling java from PHP exec
Javascript decode JSON string which contains an encoded string
php-fpm does not work exec, system, shell_exec, only CLI