Using $_GET in system() function – security question

So let’s say we have a following code:

<?php
$str = addslashes($_GET['str']);
$cmd = 'sometool "'.$str.'"';
system($cmd);
?>

<?php

$str = addslashes($_GET['str']);

$cmd = 'sometool "'.$str.'"';

system($cmd);

?>

​

Is it secure? Can I escape from double quotes somehow? The operating system in linux.

Purely theoretical consideration. I don’t use it in my code 😉

Answer

It’s not secure. You can still pass some arguments that will be malicious, i.e. execute other files in system.

$var = '$(sh file.sh)';
$str = addslashes($var);
$cmd = 'sometool "'.$str.'"';
system($cmd);

$var = '$(sh file.sh)';

$str = addslashes($var);

$cmd = 'sometool "'.$str.'"';

system($cmd);

​

You should use escapeshellarg method for escaping shell arguments.

$str = escapeshellarg($_GET['str']);
$cmd = 'sometool ' . $str;
system($cmd);

$str = escapeshellarg($_GET['str']);

$cmd = 'sometool ' . $str;

system($cmd);

​

Note that you have to use the argument $str as it is and that it will be a single argument. You must not surround it with quotes ' or double quotes "