Command Injection

The exec() function is a popular function used to execute a shell command. This is a useful and convenient way to execute shell commands, but this convenience heightens your rish. If tainted data is used to construct the string to be executed, an attacker can execute arbitrary commands.

Although you can execute shell commands in many different ways, the best practice is to be consistent ensure that you use only filtered and escaped data when constructing the string to executed. Other functions that require careful attention include passthru(), popen(), shell_exec(), and system().

escapeshellcmd()

escapeshellarg()