Databases
StackOverflow2013
Postsdbo
POPHP exec() and spaces in paths
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POPHP exec() and spaces in paths
    text
    copied!<p>I'm executing the following in a PHP application:</p> <pre><code> $source = '/home/user/file.ext'; $output_dir = $this-&gt;setOutputString(); chdir('/home/ben/xc/phplib/bgwatcher-2011a/a01/'); exec('php bin/createjob.php $source $output_dir', $output); return $output[0]; </code></pre> <p>The problem is this: I have control over <code>$source</code>, but not <code>$output_dir</code>, which is a legacy Windows filesystem, and there are spaces in the path. An example <code>$output_dir</code> is:</p> <pre><code>/home/vol1/district id/store id/this_is_the_file.html </code></pre> <p>When inserting the output string into the <code>exec()</code> function, I have tried both:</p> <p><code>addslashes($output_dir)</code> and <code>'"' . $output_dir . '"'</code> to escape the entire output string. In the first case, the path gets concatenated to:</p> <p><code>/home/vol1/districtthis_is_the_file.html</code></p> <p>... where everything between the first space and the filename gets dropped. In the second case, <code>exec()</code> appears to throw a shoe and doesn't execute properly - unfortunately, the error message is getting lost in the machinery - I can provide it if it's absolutely necessary, but I'm also under time constraints to find a solution.</p> <p>What's the solution, here? Do I <code>sprintf()</code> the entire string for <code>exec()</code>? I'm very confused as to why <code>addslashes</code> isn't working correctly to escape the spaces, and I assume it has something to do with sanitization with exec(), but I can't find any documentation to back it up.</p> <p><strong>Update:</strong> I've tried escapeshellarg() and preg_replace() without success. Thinking about this further, do I need to double-escape the path? Or escape the path and the command? If the path is being unescaped once by exec(), and once by PHP before it executes the command, does it stand to reason that I need to account for both escapes? Or is that not how it works?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload