(PHP 4 >= 4.0.3, PHP 5, PHP 7)

escapeshellargЭкранировать строку для того, чтобы она могла быть использована как аргумент командной строки


string escapeshellarg ( string $arg )

Функция escapeshellarg() добавляет одинарные кавычки вокруг строки и кавычек и экранирует любые существующие одинарные кавычки, позволяя вам передать строку непосредственно в функцию оболочки и рассматривать её как один безопасный аргумент. Эта функция должна использоваться для того, чтобы экранировать отдельные аргументы для функций оболочки, полученные из пользовательского ввода. Экранирование аргумента необходимо в таких функциях оболочки как exec(), system() и оператор "обратный апостроф".

В Windows escapeshellarg() заменяет восклицательный знак, знак процента (позднее связывание переменных) и двойные кавычки на пробелы и добавляет двойные кавычки вокруг строки.

Список параметров


Аргумент, который будет экранирован.

Возвращаемые значения

Экранированная строка.


Пример #1 Пример использования escapeshellarg()

('ls '.escapeshellarg($dir));

Список изменений

Версия Описание
5.4.43, 5.5.27, 5.6.11 Восклицательный знак заменяется пробелом.

Смотрите также

  • escapeshellcmd() - Экранировать метасимволы командной строки
  • exec() - Выполнить внешнюю программу
  • popen() - Открывает файловый указатель процесса
  • system() - Выполнить внешнюю программу и отобразить вывод
  • Оператор исполнения

add a note add a note

User Contributed Notes 13 notes

phil at philfreo dot com
7 years ago
When escapeshellarg() was stripping my non-ASCII characters from a UTF-8 string, adding the following fixed the problem:

(LC_CTYPE, "en_US.UTF-8");
egorinsk at gmail dot com
10 years ago
Under Windows, this function puts string into double-quotes, not single, and replaces %(percent sign) with a space, that's why it's impossible to pass a filename with percents in its name through this function.
11 years ago
Most of the comments above have misunderstood this function. It does not need to escape characters such as '$' and '`' - it uses the fact that the shell does not treat any characters as special inside single quotes (except the single quote character itself). The correct way to use this function is to call it on a variable that is intended to be passed to a command-line program as a single argument to that program - you do not call it on command-line as a whole.

The person above who comments that this function behaves badly if given the empty string as input is correct - this is a bug. It should indeed return two single quotes in this case.
info at infosoporte dot com
9 years ago
If escapeshellarg() function removes your accents (like á, a with an 'accute') from the given string, ensure your LC_ALL variable is correct. If using it via web, you need to restart Apache or the corresponding web server after setting LC_ALL with a export LC_ALL=es_ES.utf8 (for example) from your shell.
9 years ago
The reason why % are replaced with space on windows is that it is impossible in cmd.exe to escape or quote them so that environment variables are not expanded.  If for instance %path% is in your argument it will always be expanded, so the only safe thing to do is to replace % with something else.

Alternatively, you could wipe the environment before making the call to exec(), but that has its side-effects.
sblyons+php at gmail dot com
5 years ago
Take care if using escapeshellarg() on serialized objects. Serialized objects contain null bytes, and escapeshellarg stops on the first null byte so you will not receive the full argument. (I consider this a bug, though not sure what it should do in this case. Probably serialize shouldn't have used null bytes, but too late for that now).
The workaround I've found to pass serialized objects on the command line is to base64_encode() them first and decode on the other side.
phpnet at lostreality dot org
12 years ago
This function does not escape $ it seems. This lets user embed shell variables such as $PATH into commands, which you may or may not want to allow.  I'm using shell_exec() because I need the entire command as one string, and need access to the stdout data as one string as well.
jrbeaure at uvm dot edu
8 years ago
When running a string of LaTeX code containing hyphens through as an argument to pdflatex escaped using this command, it will result in failure.
phpman at crustynet dot org dot uk
8 years ago
The comment from 'rmays at castlecomm dot com' is incorrect: single quotes cannot be backslash-escaped inside a single-quoted string when constructing a shell argument. The output from this function is in fact correct. It drops out of the single-quoted string, includes a literal single quote with a backslash-escape, then resumes the single-quoted string. Observe:


("echo ' single quote\'d '");
system("echo ' single quote'\''d '");

$ php shellarg.php
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
single quote'd
vosechu at roman-fleuve dot com
13 years ago
If escapeshellarg() returned something on a null input it would probably break more programs than it helps. Even if it's two "'s or two ''s, this function wouldn't work the way it's supposed to (that is, returning nothing).

However, most people do not put "" into their commands but I can see where it might be useful at the same time.
Perhaps an option in the command that would return the type of null we want. I might want the null character to be returned, someone else might want '', and someone else might want nothing at all.
jon at wroth dot org
3 years ago
the best alternative to escapeshellarg() for windows i've come up with is this:
function w32escapeshellarg($s)
{ return
'"' . addcslashes($s, '\\"') . '"'; }
wijnand at jpresult dot nl
4 years ago
Here's a quick and dirty replacement of this function in case you need to deal with special characters.

* An ugly, non-ASCII-character safe replacement of escapeshellarg().
function escapeshellarg_special($file) {
"'" . str_replace("'", "'\"'\"'", $file) . "'";
9 years ago
in regards to the bug returning no string where it should return "" or '', just do
("example ". (($arg=escapeshellarg($arg))? $arg : "''"));
To Top