php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #34945 exec(): Problem with quotes in commandline
Submitted: 2005-10-21 12:54 UTC Modified: 2020-01-28 09:14 UTC
Votes:5
Avg. Score:4.0 ± 1.3
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:4 (80.0%)
From: not-implemented at mark-plomer dot de Assigned: cmb (profile)
Status: Closed Package: Program Execution
PHP Version: 5CVS-2005-10-21 (snap) OS: WinXP
Private report: No CVE-ID: None
 [2005-10-21 12:54 UTC] not-implemented at mark-plomer dot de
Description:
------------
If i have a complicated commandline with quotes and spaces in it, and pass it to exec(), system(), ..., then i get under Windows "path or filename not found" despite the filenames are correct.

The Problem is the following:
PHP starts a command over the command-interpreter by prefixing the commandline with "cmd.exe /c ".

Test in DOS-Box:
If I enter the command in a "DOS-Box", the result is ok, but if I prefix it with "cmd.exe /c ", then i get the same failure as in PHP.

If you read the "manpage" ("cmd.exe /?"), there is a hint, that "cmd.exe /c" has problems with quotes. And IMHO there is no way to escape theese quotes.

My solutions are:
- Someone finds a way to escape quotes for cmd.exe
- A new Parameter for system()/exec()/...
- ... or better: A php.ini-setting, ... which controls, if the command is executed over the shell, or executed directly.


Reproduce code:
---------------
system('"D:\Program Files\fop\fop.bat" "path with blanks/to/bla.fo" "output path/bla.pdf"');

Expected result:
----------------
Successful execution.

Actual result:
--------------
cmd.exe says: "path/file not found"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-21 12:58 UTC] tony2001@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.


 [2005-10-21 14:18 UTC] mplomer at gmx dot de
Sure, it's not directly a Bug in PHP, but it's a feature-request to workaround a bug/feature of cmd.exe:

We need a possibility to bypass the command-interpreter for execution of commands, since cmd.exe can't execute it complete correctly.
Or someone finds a solution to escape quotes correctly. I will check this out over the weekend ;-)
 [2005-10-21 14:58 UTC] cspeer at gmx dot de
I have the same problem. I have also no solution to execute commands with many quotes.
 [2005-10-27 19:38 UTC] mplomer at gmx dot de
cmd.exe /C accepts only two quotes in a commandline. If there are more, then the first and the last quote is removed.
This makes it impossible to pass commandlines like:
"C:/Program Files/bla/bla.exe" "c:/my files/bla.txt"

So it is IMHO the best way, if we create an option to bypass the command-interpreter.
 [2010-02-03 20:21 UTC] mplomer at gmx dot de
Since PHP 5.2.1 the proc_open() function has a new parameter "bypass_shell", which is the needed feature.

It would be nice to have the same solution for all other shell related functions (exec,shell_exec,system,...). For example via a php.ini option.
 [2016-12-30 23:15 UTC] cmb@php.net
-Package: Feature/Change Request +Package: Program Execution
 [2020-01-27 12:08 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-01-27 12:08 UTC] cmb@php.net
I don't see a need to add an option.  Regarding the original
report, the solution would be to enclose the command in another
pair of double-quotes, e.g.

  system('""D:\Program Files\fop\fop.bat" "path with blanks/to/bla.fo" "output path/bla.pdf""');

As of PHP 5.3.11, this additional pair of double-quotes is
inserted by PHP, so the original test script should work as is.

See also <https://github.com/php/php-src/pull/5102>.
 [2020-01-27 21:42 UTC] not-implemented at mark-plomer dot de
-: mplomer at gmx dot de +: not-implemented at mark-plomer dot de -Status: Feedback +Status: Assigned
 [2020-01-27 21:42 UTC] not-implemented at mark-plomer dot de
Oh wow ... activity on my ~15 year old bug-report ;-) Yes I think it should be fine now, and you can close the bug report as fixed :-) Thanks.
 [2020-01-28 09:14 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2020-01-28 09:14 UTC] cmb@php.net
Thanks!

Good things come to those who wait. :)
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Aug 03 09:01:26 2020 UTC