Using single quotes with escapeshellarg()

[hewbert]

Greetings,

 

I'm trying to execute a shell command with a user-supplied password as input.  The password may contain apostrophes and and virtually any other character.  Unfortunately, when using escapeshellarg(), the password argument is interpreted as two separate arguments, as escapeshellarg() will handle apostrophes (single quotes) by breaking out of the already quoted text and using a backslash escape.

 

$password = escapeshellarg("ex'ample!%");  // The password will actually be supplied by an HTML form.

$command = ('echo '.$password);

echo "$command";

// Returns 'ex'\''ample!%'

 

Does anyone have any input on how to accomplish what I'm trying to do?  I'd like to allow obscure passwords without disallowing specific characters, while still being "safe" in passing the information to a shell command.  Double quotes would work for passing single quotes, but I'm afraid I might break other characters there.

 

Thanks.

[intellix]

What about using stripslashes() on the $password or $command?

[hewbert]

What about using stripslashes() on the $password or $command?

 

I should've mentioned - I use stripslashes() before calling escapeshellarg().

 

Were you thinking of something else?  Slashes aren't so much the problem at hand, as it is the argument is encapsulated with single quotes, but then broken out of it for apostrophes in the variable.

 

I've looked at not using escapeshellarg() at all, but had the side effect of breaking other characters.  Perhaps an array of characters to escape is the way to go, I don't know.

[hewbert]

To follow up to my own thread, maybe something like this??

$badchars = array('!','"','#', '&', ';', '`', '\'','|', '~', '<', '>', '{', '}', ',', ' ', '\x0A', '\xFF' );

$password= quotemeta("ex'amp; le!%");

foreach ($badchars as $char) {
$password = str_replace($char, "\\".$char, $password);
}

// Returns ex\'amp\;\ le\!%

 

Not having the string encapsulated with quotes makes me a little nervous though.