I like the idea of a php.ini setting for the comspec (although this might
create OS specific ini files), and I do not like 'magick' stuff happening
to command parameters in any of the exec functions.
According to Windows cmd specifications the quotes are needed if one of
the special characters is present in the command line.
The special characters that require quotes are:
<space>
&()[]{}^=;!'+,`~
The user should know when to use quotes when calling any of the exec
functions.
- Frank
Wez Furlong wrote:
Is it possible that switching /S on will break existing scripts?
If so, it's probably better to make the comspec setting a PHP .ini
option that only the admin can change and allow /S to be set there.--Wez.
Well, the patch doesn't just use /S, it also automatically encloses the
argument in double-quotes.
It will break workarounds where people have put those double quotes in
manually. This was the
workaround suggested on bug 34671. It's also the workaround we'll be
using in MediaWiki until this
patch is applied, and then after it's applied we'll have to put a
version switch in. I'm interested
in seeing this patch applied in the hopes that years from now,
programmers will be able to use
shell_exec()on Windows without going through the same tortuous route I
went through to determine
why it doesn't work and how to make it work. Reading 50 screenfuls of
manual comments didn't help.Speaking of which, it would be great if the manual could be amended to
precisely document the
pre-patch (or compatibility-mode) and post-patch behaviour of the
program execution functions.A comspec setting would be nice for people wanting to use, say, cygwin
bash as a command
interpreter. But to switch automatic quoting and /S on and off, I think
you would need a
compatibility mode flag. One that's zero to indicate compatibility, so
that you can pull a trick
like this to get version-independent code:if (ini_get('windows_shell_quoting')) {
$result = shell_exec($cmd);
} else {
$result = shell_exec(ugly_hack($cmd));
}The same php.ini option could put
escapeshellarg()into a
windows-compatible mode. Maybe I should
submit that patch too, for completeness.-- Tim Starling
Frank M. Kromann wrote:
I like the idea of a php.ini setting for the comspec (although this might
create OS specific ini files), and I do not like 'magick' stuff happening
to command parameters in any of the exec functions.According to Windows cmd specifications the quotes are needed if one of
the special characters is present in the command line.The special characters that require quotes are:
<space>
&()[]{}^=;!'+,`~The user should know when to use quotes when calling any of the exec
functions.
Two sets of quotes are needed. Like this:
$result = ""c:\\program files\\some program\\prog.exe" "filename"";
This won't work:
$result = "c:\\program files\\some program\\prog.exe" "filename";
You think the user is meant to know that? I'm not suggesting magically adding quotes around
filenames which contain special characters, that's the user's responsibility. I'm suggesting adding
quotes around the entire command, with a /s switch preceding, so that the command specified by the
user is successfully passed to the command interpreter. This kind of quoting is done on Unix, see
tsrm_virtual_cwd.c around line 1016. But it is missing on Windows. It's a bug, plain and simple.
-- Tim Starling