Best way to sanitize exec command with user inserted variables

The Digital Ninja picture The Digital Ninja · Jun 11, 2009 · Viewed 8.3k times · Source

I'm coding a web interface to a horrible piece of propitiatory software our company uses. The software has no real UI and requires us giving putty access to our system for our clients to even pull data. My web interface has to run an exec(); function and it has to pass a few variables the user inputs.

$command = "report-call '$type' '$study' '$server' '$tag' '$specopt1' '$specopt2' '$specopt3' '$specopt4'";
$last_line = exec($command, $output, $returnvalue); 

Now I assume I might be able to just remove any semicolons from the $command varible and be safe, but I'm not sure and that's why I'm posing this here before we go live next month.

What would be the best way to sanitize $command? There are a few special chars that I do need to be in the variables [ ] < > ! # $ .

Answer

gahooa picture gahooa · Jun 11, 2009

Use the function that PHP has for this purpose:

$cmd = 
     "/usr/bin/do-something " . 
     escapeshellarg($arg1) . 
     ' ' . 
     escapeshellarg($arg2);

You can also use escapeshellcmd()

What's the difference?

escapeshellarg() ONLY adds ' around the string and then \ before any other ' characters. http://www.php.net/escapeshellarg

escapeshellcmd() escapes all shell-sensitive characters ($, \, etc..) but does not add quotes. http://www.php.net/manual/en/function.escapeshellcmd.php

The gotcha is in the case that you use escapeshellarg() as PART OF A QUOTED parameter. Then it is rendered useless (actually adding quotes to the mix).

Generally speaking, we prefer to use escapeshellcmd() with our own quotes added.

$cmd = 
    "/usr/bin/do-something '" . 
    escapeshellcmd($arg1) . 
    "' '" . 
    escapeshellcmd($arg2) . 
    "'";

Be safe!