%escapeshellcmd()% escapes more characters, but doesn't quote: % ^ ( ) [ ] { } $ \ 0x0A 0xFF]]>%

'; $also_bad_format = escapeshellarg($bad_format); $ok_format = escapeshellcmd($bad_format); // redirection error system("/usr/local/bin/formatter-$bad_format"); // no such program system("/usr/local/bin/formatter-$also_bad_format"); // runs program with correct argument system("/usr/local/bin/formatter-$ok_format"); ]]>