|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18291 exec() arguments (+suggested solution)
Submitted: 2002-07-11 22:44 UTC Modified: 2003-08-05 15:17 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php dot hc at saustrup dot net Assigned:
Status: Closed Package: Program Execution
PHP Version: 4.3.3RC2-dev OS: RedHat Linux 7.3
Private report: No CVE-ID: None
 [2002-07-11 22:44 UTC] php dot hc at saustrup dot net
This kept me up all night :-) I needed to pass a textstring to an external program, and did something like this in PHP:

exec('/usr/bin/binary 1 2 3 "a b c" 4 5 6');

It kept screwing up, and after debugging it I realized that the exec() function actually called /usr/bin/binary with 9 arguments, and not 7 as I thought it would. Apparently PHP's exec() just splits up the string where it finds whitespaces and thinks they're different arguments. I'm not sure about the proper solution, but it would be awesome with a more "strict" exec()-like function that could work something like this:

newexec('/usr/bin/binary',array('1','2','3','a b c','4','5','6'));

That way, there would be NO doubt about the arguments :-)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-12 18:51 UTC]
FYI: PHP uses popen(), not execve()..

In 4.2.1 there is pcntl_exec() which behaves similarly to
the system execve. Maybe that's what you want to use..?

Try these scripts:

<?php echo exec('./ "213 123"'); ?>

<?php echo exec('./ 213 123'); ?>

echo $1

 [2002-07-19 20:09 UTC] php dot hc at saustrup dot net
I tried what you suggested, and this is what came out:

Script 1: "213
Script 2: 213

I'm a security freak, so I have safe_mode enabled. Apparently safe_mode is infact the cause of this error, because when I disabled it in php.ini, the two scripts worked like you suggested:

Script 1: 213 123
Script 2: 213

Please test this yourself and post the results.
 [2002-07-19 20:56 UTC]
Seems like safe-mode does mess up the parameters.
I'm not sure if this is actually the correct behaviour...

 [2003-07-10 21:46 UTC]
Here you can find possible fix for this problem:

(thanks to Thomas Lamy)

 [2003-08-05 15:17 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jul 19 12:01:29 2024 UTC