The php Function Escapeshellcmd
php function escapeshellcmd
PHP is a loosely-typed language that does not enforce variable type checking. As such, it is possible for malicious attackers to gain access to sensitive system functions and calls in scripts. Various tools exist to detect and test PHP applications for vulnerabilities, including scanning HAR files, API schemas, or incremental scanning. However, intelligent attackers will always find ways to bypass these sanitizations. Using a whitelist of acceptable commands/arguments is an effective approach to limit the risk of such attacks.
The php function escapeshellcmd() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to ensure that user input that might be passed to exec(), system() or the backtick operator is properly escaped before this data is executed on a remote host. The function also escapes other characters that could be used to trick shell commands into executing arbitrary code such as the following:
There are a few other useful functions that should be included in any PHP program such as strlen(str): returns the length of a given string, substr(str, start[, len(str)]): return a substring from a starting character up to the end of a string, strtoupper(str), strtolower(str) and trim(str): trim whitespaces from the beginning and the end of a given string. All of these functions should be used to sanitize any data that may be supplied by users.