我有一个很长的字符串,其中包含命令行参数。参数已用双引号引起来。当我将命令传递给exec时,什么都没有发生。在尝试将字符串传递到escapeshellarg()之前,我尝试在exec中传递字符串,但是它没有任何效果。
字符串如下:
/usr/bin/python3 /home/johndoe/src/crm_api.py "jack" "london" "jack@yahoo.com" "09061414145" "No. 1, George St. Ave., CA, USA" "California" "CA" "2222222222" "United States" "$2y$10$U81IfXi7r7hx4xggYTpcJesRblqTKrGAbgM388/v0pH.qtOfLVLfi"
使用字符串的代码如下:
$command = "/usr/bin/python3 /home/johndoe/src/crm_api.py " .
$crm_first_name . " " .
$crm_last_name . " " . $crm_email . " " . $crm_phone . " " .
$crm_address . " " . $crm_city . " " . $crm_state . " " .
$crm_zip . " " . $crm_country . " " . $crm_password;
echo '<script>console.log(\'' . $command . '\');</script>';
echo $command;
echo '<script> alert(\'' . $command . '\');</script>';
$cResult = exec($command);
echo '<script>console.log(' . $cResult . ');</script>';
答案 0 :(得分:1)
是的,escapeshellarg()是逃脱shell参数的工具。例如:
$script = '/usr/bin/python3 /home/johndoe/src/crm_api.py';
$args = [
$crm_first_name,
$crm_last_name,
$crm_email,
$crm_phone,
$crm_address,
$crm_city,
$crm_state,
$crm_zip,
$crm_country,
$crm_password,
];
$command = $script . ' ' . implode(' ', array_map('escapeshellarg', $args));
(您也可以将其应用于脚本路径本身,但由于它是硬编码,因此在此不需要。)