What is PhpDig?
PhpDig is a PHP MySQL based
Web Spider & Search Engine.



escapeshellcmd — Escapes all of the shell metacharacters and control operators within a string.


string escapeshellcmd(cmd);
string cmd: String to be used as part of a shell command


String with all metacharacters and control operators escaped by backslashes


escapeshellcmd() reduces the risks involved in allowing user input to be passed to the shell, by escaping all metacharacters and control operators with backslashes. PHP considers the following characters to be metacharacters and/or control operators.

ASCII Code Character
10 [newline]
34 "
35 #
36 $
38 &
39 '
40 (
41 )
42 *
59 ;
60 <
62 >
63 ?
91 [
92 \
93 ]
94 ^
96 `
123 {
124 |
125 }
126 ~
255 varies by character set

For more information on metacharacters, control operators, and using shells with strings, consult the documentation (e.g., the man pages) on your server.


Including user input as part of a shell command almost always has some associated risk. While escapeshellcmd() and escapeshellarg() provide some protection against certain types of attacks, you should always be careful when combining shell commands and user input.


PHP 3+; PHP 4+


Example 1095. Rescue your shell from certain peril

    Let's pretend that $nasty was posted from a form by a malicious user.
    The first command in the string is an argument to be appended to a shell command.
    The second command in the string finds the sh shell and attempts to make a copy of 
    it that's disguised as an ordinary PHP temp file.
    The final command sets permissions that make the copy of the shell run as the user that
    PHP runs as.

    If malicious users have or gain login access to the server, they can use their copy of 
    shell to be able to run as the same user as PHP and the same group as the group owner of /tmp 
    (often group wheel). Using this access, they would probably be able to compromise the files 
    in other users' web directories and may be able to use their new access to force their way into 
    other accounts. Given enough time, they may even be able to compromise root.

    Once again, be careful! Including user data in shell commands is fraught with danger - in short,
    a task best left to bearded, belted, and suspendered UNIX gurus.
    $nasty = 'yak; cp `whereis sh` /tmp/phpmNod8W; chmod 6775 /tmp/phpmNod8W';
    $nicer = escapeshellcmd ($nasty);

    // Use 2>&1 to redirect standard error to standard output
    // This will let the errors be displayed along with any command output
                passthru("finger $nicer 2>&1");

Example 1096. Display the characters that escapeshellcmd() escapes

<table border="1" cellpadding="4" cellspacing="0">
$format = '<tr align="center"><td>%s</td><td>%s</td><td>%s</td></tr>' . "\n";
printf ($format, 'ASCII', 'Character', 'Escaped');

for ($ord = 0; $ord < 256; ++$ord) {
    $chr = chr ($ord);
    $esc = escapeshellcmd ($chr);
    $chr != $esc
        and printf ($format, $ord, $chr, $esc);

PHP Functions Essential Reference. Copyright © 2002 by New Riders Publishing (Authors: Zak Greant, Graeme Merrall, Torben Wilson, Brett Michlitsch). This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at The authors of this book have elected not to choose any options under the OPL. This online book was obtained from and is designed to provide information about the PHP programming language, focusing on PHP version 4.0.4 for the most part. The information is provided on an as-is basis, and no warranty or fitness is implied. All persons and entities shall have neither liability nor responsibility to any person or entity with respect to any loss or damage arising from the information contained in this book.

Powered by: vBulletin Version 3.0.7
Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.