hewbert Posted November 29, 2010 Share Posted November 29, 2010 Greetings, I'm trying to execute a shell command with a user-supplied password as input. The password may contain apostrophes and and virtually any other character. Unfortunately, when using escapeshellarg(), the password argument is interpreted as two separate arguments, as escapeshellarg() will handle apostrophes (single quotes) by breaking out of the already quoted text and using a backslash escape. $password = escapeshellarg("ex'ample!%"); // The password will actually be supplied by an HTML form. $command = ('echo '.$password); echo "$command"; // Returns 'ex'\''ample!%' Does anyone have any input on how to accomplish what I'm trying to do? I'd like to allow obscure passwords without disallowing specific characters, while still being "safe" in passing the information to a shell command. Double quotes would work for passing single quotes, but I'm afraid I might break other characters there. Thanks. Quote Link to comment Share on other sites More sharing options...
intellix Posted November 29, 2010 Share Posted November 29, 2010 What about using stripslashes() on the $password or $command? Quote Link to comment Share on other sites More sharing options...
hewbert Posted November 29, 2010 Author Share Posted November 29, 2010 What about using stripslashes() on the $password or $command? I should've mentioned - I use stripslashes() before calling escapeshellarg(). Were you thinking of something else? Slashes aren't so much the problem at hand, as it is the argument is encapsulated with single quotes, but then broken out of it for apostrophes in the variable. I've looked at not using escapeshellarg() at all, but had the side effect of breaking other characters. Perhaps an array of characters to escape is the way to go, I don't know. Quote Link to comment Share on other sites More sharing options...
hewbert Posted November 29, 2010 Author Share Posted November 29, 2010 To follow up to my own thread, maybe something like this?? $badchars = array('!','"','#', '&', ';', '`', '\'','|', '~', '<', '>', '{', '}', ',', ' ', '\x0A', '\xFF' ); $password= quotemeta("ex'amp; le!%"); foreach ($badchars as $char) { $password = str_replace($char, "\\".$char, $password); } // Returns ex\'amp\;\ le\!% Not having the string encapsulated with quotes makes me a little nervous though. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.