php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #68140 escapeshellarg doesn't escape double quotes, it removes them instead
Submitted: 2014-10-03 06:08 UTC Modified: 2015-04-24 21:02 UTC
From: petrhudecek2010 at gmail dot com Assigned:
Status: Not a bug Package: Program Execution
PHP Version: 5.6.1 OS: Windows 8.1
Private report: No CVE-ID: None
View Developer Edit
 [2014-10-03 06:08 UTC] petrhudecek2010 at gmail dot com 
Description:
------------
On Windows, the function escapeshellarg quotes the string in double quotes but instead of escaping existing double quotes, it removes them instead.

Test script:
---------------
<?php
echo escapeshellarg('"');

Expected result:
----------------
"\""

Actual result:
--------------
" "

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-04 10:15 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2014-10-04 10:15 UTC] ab@php.net 
What is the particular command you're running?

Thanks.
 [2014-10-04 11:02 UTC] petrhudecek2010 at gmail dot com
-Status: Feedback +Status: Open
 [2014-10-04 11:02 UTC] petrhudecek2010 at gmail dot com 
I'm using this code (simplified from what I actually need, but shows the principle):

<?php
$arg = escapeshellarg('echo "hello";');
echo `php -r $arg`;

I wanted it to print hello, instead it says that hello is not a defined constant because it strips the double quotes.
 [2014-10-04 19:19 UTC] ab@php.net
-Status: Open +Status: Not a bug
 [2014-10-04 19:19 UTC] ab@php.net 
Yeah, that were pretty valid with bash. For cmd.exe you'd do like

<?php
$arg = escapeshellarg('echo \'hello\';');
echo `php -r $arg`;

or i do it with

$arg = escapeshellarg("echo 'hello';");
system(PHP_BINARY . " -r $arg");

The behavior is though correct - on Windows escaping seems to be not the shell task, but the one of a program you're working with. Some programs can "eat" it with "" (escape with another double quote) or ^". The common thing is however to have an argument enclosed with double quotes or even without them. So a normal inline code is like

php.exe -r "echo 'hello';"

on Linux you would replace double quotes with single quotes and vice versa, as double quotes could be possible extrapolated with a Linux shell like bash/dash/etc.

Thanks.
 [2014-10-04 19:30 UTC] petrhudecek2010 at gmail dot com 
If escaping is supposed to be the program's task, not the shell's task, then the quotation marks should be passed to the program, not replaced by spaces by escapeshellarg. Currently, escapeshellarg, on Windows, replaces double quotes with spaces, then encloses the entire argument with double quotes which is not something every program wants, nor is it documented.

Can I at least amend the documentation so it clarifies what the function does on Windows?
 [2014-10-05 10:39 UTC] ab@php.net 
But this is the exact point - it is only known for sure that "arg" is fine, except we maintain the escaping info for every arbitrary program. It's more about the platform knowledge, but adding a note to the docs about this might make sense.

Thanks
 [2015-04-24 09:37 UTC] salathe@php.net 
Automatic comment from SVN on behalf of salathe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=336643
Log: Document how escapeshellarg behaves on Windows. (patch by Petr Hudeček, doc bug #68140)
 [2015-04-24 09:41 UTC] salathe@php.net
-Type: Bug +Type: Documentation Problem
 [2015-04-24 09:41 UTC] salathe@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 [2015-04-24 21:02 UTC] cmb@php.net 
JFTR: the job of escapeshellarg() is to escape a *single* *argument* (e.g. hello). To escape a full command (e.g. echo hello) use escapeshellcmd().
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 01 16:00:01 2025 UTC