escapeshellcmd

Example 1095. Rescue your shell from certain peril

/*
    Let's pretend that $nasty was posted from a form by a malicious user.
    The first command in the string is an argument to be appended to a shell command.
    The second command in the string finds the sh shell and attempts to make a copy of 
    it that's disguised as an ordinary PHP temp file.
    The final command sets permissions that make the copy of the shell run as the user that
    PHP runs as.

    If malicious users have or gain login access to the server, they can use their copy of 
    shell to be able to run as the same user as PHP and the same group as the group owner of /tmp 
    (often group wheel). Using this access, they would probably be able to compromise the files 
    in other users' web directories and may be able to use their new access to force their way into 
    other accounts. Given enough time, they may even be able to compromise root.

    Once again, be careful! Including user data in shell commands is fraught with danger - in short,
    a task best left to bearded, belted, and suspendered UNIX gurus.
*/
    $nasty = 'yak; cp `whereis sh` /tmp/phpmNod8W; chmod 6775 /tmp/phpmNod8W';
    $nicer = escapeshellcmd ($nasty);

    // Use 2>&1 to redirect standard error to standard output
    // This will let the errors be displayed along with any command output
                passthru("finger $nicer 2>&1");

Example 1096. Display the characters that escapeshellcmd() escapes

<table border="1" cellpadding="4" cellspacing="0">
<?php
$format = '<tr align="center"><td>%s</td><td>%s</td><td>%s</td></tr>' . "\n";
printf ($format, 'ASCII', 'Character', 'Escaped');

for ($ord = 0; $ord < 256; ++$ord) {
    $chr = chr ($ord);
    $esc = escapeshellcmd ($chr);
    $chr != $esc
        and printf ($format, $ord, $chr, $esc);
}
?>
</table>