Technical FAQ
PHP Manual
CSS2 Manual
HTML Manual
JS Guide
JS Reference
PhpDock Manual
Nu-Coder Manual
PhpExpress Manual
PHP Joomla
Learn PHP
Last updated: Tue, 19 Sep 2006


(PHP 3, PHP 4, PHP 5)

escapeshellcmd -- Escape shell metacharacters


string escapeshellcmd ( string command )

escapeshellcmd() escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions, or to the backtick operator.

Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.



The command that will be escaped.

Return Values

The escaped string.


Example 1. escapeshellcmd() example

$e = escapeshellcmd($userinput);
// here we don't care if $e has spaces
system("echo $e");
$f = escapeshellcmd($filename);
// and here we do, so we use quotes
system("touch \"/tmp/$f\"; ls -l \"/tmp/$f\"");

Last updated: Tue, 19 Sep 2006