The php Function Escapeshellarg
Using user supplied data on the command line is generally considered to be a security disaster waiting to happen. However, sometimes you may need to include external data in a command line and that means escaping special characters to prevent an attacker from tricking the command into executing arbitrary commands. The php function escapeshellarg does just that.
This function adds single quotes around a string and escapes any existing single quotes allowing you to pass the string to a shell program as a single safe argument to that program. This is particularly useful when working with php scripts that use the exec(), system() and backtick operator to pass in data from a web form.
Note: Please make sure that your version of php supports this functionality and that the functions exec(), pcntl_exec(), system(), escapeshellcmd() and the backtick operator are enabled in your php configuration and PHP binary. Also check if the mbstring and tokenizer modules are enabled.
The person above who commented that this function behaves badly if given the empty string as input is correct - this is a bug. The function should indeed return two single quotes in this case if the input is an empty string. However, it's not really an issue as most people will not call this function on empty input. They will most likely call it on a variable that is meant to be passed to a command line program and then only pass the command line as a whole to the command line program.