在PHP中将Cookie变量与shell_exec一起使用

Question

I'm trying to include a user-defined variable (derived from a cookie) in a shell_exec command to name a file. Unfortunately, when I run the PHP script, the file name is spat out as just ".flv" without the variable string preceding it. I've tested the cookie and it does indeed work, but it looks like it's not being passed correctly to shall exec. Any help or advice would be greatly appreciated.

$shellvar = $_COOKIE["VideoTitle"];
$shellvar = escapeshellarg($shellvar);
shell_exec('/usr/local/bin/ffmpeg -i audio.wav -i videofile.flv $shellvar.flv 2>&1');

Answer 1

You are using single quotes in the PHP, which means it won't parse the $shellvar as a PHP variable. Then that is getting passed to the terminal, which tries to use the variable (which doesn't then exist) and it spits back a blank variable. So try replacing the single quotes with double quotes in the shell_exec command.

So the code would look like:

$shellvar = $_COOKIE["VideoTitle"];
$shellvar = escapeshellarg($shellvar);
shell_exec("/usr/local/bin/ffmpeg -i audio.wav -i videofile.flv $shellvar.flv 2>&1");

Obligatory Security Warning:
Also, I'd implore you to be careful, escapeshellarg is a good command, but I'd also recommend (on top of that) only allowing letters and numbers with a preg_match (because I'm paranoid).

Something like

if (preg_replace('/[A-Za-z0-9]*/', '', $shellvar) != "")
    echo "DISALLOWED CHARACTERS";

This way you can be at least decently sure you aren't allowing malformed names to be passed to the terminal. I'd also recommend running the commands as a specific user (who has very little access, not much more then that of using ffmpeg).