[nycphp-talk] escapeshellcmd stupidity?

Allen Shaw ashaw at
Fri Jan 2 12:05:39 EST 2009

Hi All,

I have a shell script that manages my todo list, and I'd like to access 
it through the Web as well, for convenience when I'm traveling.  ssh is 
not ideal here, since Web gives me access from any machine without 
downloading PuTTY, for example.  Basic auth seems enough to protect my 
todo list from abuse, but the stakes get higher when we consider that 
I'm accepting shell script arguments over the web -- poor security could 
easily lead to arbitrary code being passed to the shell.

Can anyone here comment on the wisdom of relying on escapeshellcmd() in 
a situation like this?  For example:
    $script_path = '/path/to/shell/script';
    shell_exec(escapeshellcmd("$script_path {$_POST['user_input']}"));

It looks right to me, and I've confirmed that it "works," but I can't 
test to confirm it's "safe."  I'd appreciate it if someone more 
experienced could tell me if this is just a Bad Idea.


Allen Shaw
slidePresenter (

More information about the talk mailing list