takuya/php-shell

Safer shell_exec

Maintainers

Details

github.com/takuya/php-shell

Homepage

Source

Issues

Installs: 2

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 3

Forks: 0

Open Issues: 0

1.0.1 2020-04-16 13:57 UTC

Requires

  • php: >=7.0.0

Requires (Dev)

GPL-3.0-or-later fa72f2c39e16f164173b6a05d18fcab2b2c1d170

  • takuya <takuya.1st+nospam.woop@gmail.com>

commandexecshell_exec

This package is auto-updated.

Last update: 2024-04-16 23:48:19 UTC

README

$name = "takuya";
$ret = PHPShell::exec_command('echo $name', ['name'=>$name]);

Apparently, $name in 'echo $name looks like php variable, but $name is as passed shell env variable.

Compare to escapeshellarg

Quart is unfriendly for debugging.

$name = "takuy'a;curl -h ";
$name = escapeshellarg($name); // -> "'takuy'\''a;curl -h '"

Long string arguments make code more difficult to read..

$url =  escapeshellarg("too long argument ..afasdfasdfasdfasdfawefadf");
$json = escapeshellarg(json_encode($object))
$cmd = 'curl -v -L $url -X POST --data $json';
var_dump($cmd);

Using Environment is more simple. And become more clear code what we will do.

$env_vars =  ['url'=>$url, 'json'=>$json];
foreach( $env_vars as $k=>$v ){
  putenv("$k=$v");
}
$ret = shell_exec('curl -v -L $url -X POST --data $json');

For this reason, this library supports you to pass argument as Environment instead of raw string.

Feature

Safer calling Shell Command. To avoid escaping Shell arguments , this library using ENV. By using Env instead of escaping, shell command call become slightly safer and simpler to avoid shell command injection.

since

  • First release was 2008.