Program Execution Functions

Program Execution Functions

escapeshellcmd

Name

escapeshellcmd — escape shell metacharacters

Description

string escapeshellcmd(string command);

EscapeShellCmd escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec or system functions. A standard use would be:

system(EscapeShellCmd($cmd))

exec

Name

exec — Execute an external program

Description

string exec(string command, string [array], int [return_var]);

Exec executes the given command, however it does not output anything. It simply returns the last line from the result of the command. If you need to execute a command and have all the data from the command passed directly back without any interference, use the PassThru function.

If the array argument is present, then the specified array will be filled with every line of output from the command. Note that if the array already contains some elements, exec will append to the end of the array. If you do not want the function to append elements, call unset on the array before passing it to exec.

If the return_var argument is present along with the array argument, then the return status of the executed command will be written to this variable.

Note that if you are going to allow data coming from user input to be passed to this function, then you should be using EscapeShellCmd to make sure that users cannot trick the system into executing arbitrary commands.

See also system, PassThru, popen and EscapeShellCmd.

Program Execution

system

Name

system — Execute an external program and display output

Description

string system(string command, int [return_var]);

System is just like the C version of the function in that it executes the given command and outputs the result. If a variable is provided as the second argument, then the return status code of the executed command will be written to this variable.

Note, that if you are going to allow data coming from user input to be passed to this function, then you should be using the EscapeShellCmd function to make sure that users cannot trick the system into executing arbitrary commands.

The System call also tries to automatically flush the web server's output buffer after each line of output if PHP is running as a server module.

If you need to execute a command and have all the data from the command passed directly back without any interference, use the PassThru function. See also the exec and popen functions.

passthru

Name

passthru — Execute an external program and display raw output

Description

string passthru(string command, int [return_var]);

The passthru function is similar to the Exec function in that it executes a command. If the return_var argument is present, the return status of the Unix command will be placed here. This function should be used in place of Exec or System when the output from the Unix command is binary data which needs to be passed directly back to the browser. A common use for this is to execute something like the pbmplus utilities that can output an image stream directly. By setting the content-type to image/gif and then calling a pbmplus program to output a gif, you can create PHP scripts that output images directly.