The title on this seems pretty misleading.<p>This is really a guide on how to use the escapeshellarg when you should use escapeshellcmd (or the opposite). Of course, the API of system() is pretty awful, so there <i>is</i> an issue here in the form of "wow, PHP makes this really easy to mess up," but there's no actual exploit in either function mentioned. Just exploits in code people write using them. I guess the LANG one is arguably an actual exploit though, though that gets into arguing semantics.<p>Edit: there's also an example that is missing quotes around an argument. Again, something very easy to mess up, but that's what you get when you have a function that is basically like typing a line into the shell.
I'm confused how a list of clever ways to get executables to initiate other executables is somehow an "exploit" of a programming language offering a system(3) call?<p>How about we just don't run system calls, especially none that contain any amount of user input.
Ah yes, "PHP "security"". Yes, untrusted user input going to the shell is a bad idea, even when "sanitized".<p>Of course, unlike other saner languages, bypassing the shell isn't always an option. When running under Apache, pcntl_exec() isn't available, so you just gotta hope rely on escapeshellarg(), addbackslashes(), and prayer.