escapeshellarg 和 escapeshellcmd 有什么区别?

2022-01-18 00:00:00 process shell subprocess exec php

PHP 有 2 个密切相关的函数,escapeshellarg()escapeshellcmd().它们似乎都在做类似的事情,即帮助使字符串在 system()/exec()/etc 中更安全地使用.

PHP has 2 closely related functions, escapeshellarg() and escapeshellcmd(). They both seem to do similar things, namely help make a string safer to use in system()/exec()/etc.

我应该使用哪一个?我只是希望能够接受一些用户输入并在其上运行命令,而不是让一切都崩溃.如果 PHP 有一个 exec-type-function,它接受一个字符串数组(如 argv),它绕过了 shell,我会使用它.类似于 Python 的 subprocess.call()功能.

Which one should I use? I just want to be able to take some user input and run a command on it, and not have everything blow up. If PHP had an exec-type-function that took an array of strings (like argv), which bypasses the shell, I'd use that. Similar to Python's subprocess.call() function.

推荐答案

来自 http://ie2.php.net/manual/en/function.escapeshellarg.php

escapeshellarg() 添加单引号围绕一个字符串和引号/转义任何现有的单引号允许您将字符串直接传递给 shell功能并将其视为单个安全参数.

escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument.

escapeshellarg,顾名思义,用作传递 shell 参数.比如你想列出当前目录,

escapeshellarg, as its name indicates, is used as passing shell argument(s). For example, you want to list current directory,

$dir = ".";
system('ls '.escapeshellarg($dir));
escapeshellcmd('ls $dir');

两者都做类似的事情,并且仅取决于您如何处理逻辑,请确保在直接传递给这些方法之前对输入进行规范化和验证以提高安全性.

Both do similar things and simply depends on how you handle your logic, do make sure your normalize and validate your input before passing directly to these methods for better security.

相关文章