Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP exec() and spaces in paths

Tags:

path

php

exec

I'm executing the following in a PHP application:

  $source = '/home/user/file.ext';
  $output_dir = $this->setOutputString();

  chdir('/home/ben/xc/phplib/bgwatcher-2011a/a01/');
  exec('php bin/createjob.php $source $output_dir', $output);

  return $output[0];

The problem is this: I have control over $source, but not $output_dir, which is a legacy Windows filesystem, and there are spaces in the path. An example $output_dir is:

/home/vol1/district id/store id/this_is_the_file.html

When inserting the output string into the exec() function, I have tried both:

addslashes($output_dir) and '"' . $output_dir . '"' to escape the entire output string. In the first case, the path gets concatenated to:

/home/vol1/districtthis_is_the_file.html

... where everything between the first space and the filename gets dropped. In the second case, exec() appears to throw a shoe and doesn't execute properly - unfortunately, the error message is getting lost in the machinery - I can provide it if it's absolutely necessary, but I'm also under time constraints to find a solution.

What's the solution, here? Do I sprintf() the entire string for exec()? I'm very confused as to why addslashes isn't working correctly to escape the spaces, and I assume it has something to do with sanitization with exec(), but I can't find any documentation to back it up.

Update: I've tried escapeshellarg() and preg_replace() without success. Thinking about this further, do I need to double-escape the path? Or escape the path and the command? If the path is being unescaped once by exec(), and once by PHP before it executes the command, does it stand to reason that I need to account for both escapes? Or is that not how it works?

like image 363
b. e. hollenbeck Avatar asked Mar 30 '11 17:03

b. e. hollenbeck


2 Answers

I don't believe addslashes() does anything with spaces. escapeshellarg() might be what you want instead. Docs on escapeshellarg

like image 63
Michael Berkowski Avatar answered Sep 28 '22 22:09

Michael Berkowski


From the PHP doc (here),

Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).

This won't do anything to the spaces. What you will need to do is use str_replace() to add slashes, like this:

$new_string = str_replace(" ", "\\ ", $old_string);

like image 32
Bojangles Avatar answered Sep 28 '22 22:09

Bojangles