escapeshellarg和escapeshellcmd有什么区别? [英] What's the difference between escapeshellarg and escapeshellcmd?

问题描述

PHP具有2个紧密相关的功能， escapeshellarg() 和

PHP has 2 closely related functions, escapeshellarg() and escapeshellcmd(). They both seem to do similar things, namely help make a string safer to use in system()/exec()/etc.

我应该使用哪个?我只希望能够接受一些用户输入并在其上运行命令，而不会炸毁所有内容.如果PHP的exec-type-function接受了一个字符串数组(如argv)，而该字符串绕过了shell，我会使用它.类似于Python的 subprocess.call() 函数.

Which one should I use? I just want to be able to take some user input and run a command on it, and not have everything blow up. If PHP had an exec-type-function that took an array of strings (like argv), which bypasses the shell, I'd use that. Similar to Python's subprocess.call() function.

推荐答案

来自 http://ie2.php.net/manual/zh/function.escapeshellarg.php

escapeshellarg()添加单引号 在字符串周围并用引号/转义 现有的单引号使您能够 将字符串直接传递给外壳 功能并将其视为 一个安全的论点.

escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument.

顾名思义，

escapeshellarg用作传递shell参数.例如，您要列出当前目录，

escapeshellarg, as its name indicates, is used as passing shell argument(s). For example, you want to list current directory,

$dir = ".";
system('ls '.escapeshellarg($dir));
escapeshellcmd('ls $dir');

两者都做类似的事情，仅取决于您处理逻辑的方式，在直接传递给这些方法以确保更好的安全性之前，请确保对您的输入进行规范化和验证.

Both do similar things and simply depends on how you handle your logic, do make sure your normalize and validate your input before passing directly to these methods for better security.

这篇关于escapeshellarg和escapeshellcmd有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！