Generally, you’ll want to use escapeshellarg, making a single argument to a shell command safe. Here’s why:
Suppose you need to get a list of files in a directory. You come up with the following:
$path="path/to/directory"; // From user input
$files = shell_exec('ls '.$path);
// Executes `ls path/to/directory`
(This is a bad way of doing this, but for illustration bear with me)
This works “great” for this path, but suppose the path given was something more dangerous:
$path="path; rm -rf /";
$files = shell_exec('ls '.$path);
// Executes `ls path`, then `rm -rf /`;
Because the path given was used unsanitised, any command can potentially be run. We can use the escapeshell* methods to try to prevent this.
First, using escapeshellcmd:
$path="path; rm -rf /";
$files = shell_exec(escapeshellcmd('ls '.$path));
// Executes `ls path\; rm -rf /`;
This method only escapes characters that could lead to running multiple commands, so while it stops the major security risk, it can still lead to multiple parameters being passed in.
Now, using escapeshellarg:
$path="path; rm -rf /";
$files = shell_exec('ls '.escapeshellarg($path));
// Executes `ls 'path; rm -rf /'`;
That gives us the result we want. You’ll notice it’s quoted the entire argument, so individual spaces, etc, do not need to be escaped. If the argument were to have quotes itself, they would be quoted.
To summarise, escapeshellcmd makes sure a string is only one command, while escapeshellarg makes a string safe to use as a single argument to a command.