Is there a way in php to execute a command with arguments but without having "shell".
The problem is that both exec() and shell_exec() runs the supplied string in a shell and therefor any user inputted data must be escaped.
Is there a way to do it like:
some_exec(["command","argument","argument])
As one would do it in for example Python or Java.
I would very much be able to execute commands with arguments without having to escape some of the arguments.
I'm working on a UI for a router and the Wifi key is set trough a command and right now I have to escape the string which limits the number of characters that the key can contain. If i where not to escape the key one could do injections without any problems.
Clarification The reason why this actually is an annoying problem in this case is that i need to execute the following command:
wireless.@wifi-iface[0].key='<the password>'
The problem is that since the password is being set in a string this password , $il|\|t would become \$ile\|\\\|t and the problem now is that incorrect password is a valid one. And so the password that was stored is not the same as the user entered.
And even though we enter the password in a string we can still do an inject like this ' ; reboot ; '
I have some trouble understanding your need not to escape arguments. I tried to call echo with an escaped string, and echo displays the original string :
$cmd = 'echo';
$passwd = escapeshellarg('&#;`|*?~<>^()[]{}$');
echo 'ARG : ' . $passwd . PHP_EOL;
exec($cmd . ' ' . $passwd, $output);
echo 'exec : ' . $output[0] . PHP_EOL;
echo 'passthru : ';
passthru($cmd . ' ' . $passwd);
echo 'shell_exec : ' . shell_exec($cmd . ' ' . $passwd);
echo 'system : ';
system($cmd . ' ' . $passwd);
Here is the output :
ARG : '&#;`|*?~<>^()[]{}$'
exec : &#;`|*?~<>^()[]{}$
passthru : &#;`|*?~<>^()[]{}$
shell_exec : &#;`|*?~<>^()[]{}$
system : &#;`|*?~<>^()[]{}$
Could you give an example of the command you want to execute ?