How to Use the PHP Backtick Execution Operator
In PHP, the backtick execution operator (`) provides a
quick and direct way to run shell commands on the host server from
within your code. This article explains how the backtick operator works,
demonstrates its basic syntax with practical examples, compares it to
equivalent PHP functions, and highlights important security precautions
you must take when executing system commands.
What is the PHP Backtick Operator?
The backtick operator (`), not to be confused with
single quotes ('), is used in PHP to execute external shell
commands. When you enclose a command in backticks, PHP passes that
command to the underlying operating system’s command line, executes it,
and returns the output as a string.
It is important to note that the backtick operator is functionally
identical to the built-in shell_exec() function.
Basic Syntax and Usage
To use the backtick operator, wrap your desired terminal command in backticks and assign the result to a variable.
<?php
// Execute the 'ls' command to list directory contents on Linux/macOS
$output = `ls -la`;
// Display the output
echo "<pre>$output</pre>";
?>If you are running PHP on Windows, you would use Windows-compatible commands instead:
<?php
// Execute the 'dir' command on Windows
$output = `dir`;
echo "<pre>$output</pre>";
?>Variable Interpolation
Like double-quoted strings, backticks in PHP support variable interpolation. This means you can dynamically pass PHP variables directly into the shell command.
<?php
$directory = "/var/www/html";
// The variable $directory is parsed inside the backticks
$output = `ls -l $directory`;
echo "<pre>$output</pre>";
?>Disabling and Limitations
The backtick operator will not work under certain server configurations:
- Disabled Functions: If
shell_execis disabled in yourphp.inifile via thedisable_functionsdirective, the backtick operator will also be disabled, and PHP will return a null value or throw an error. - Safe Mode: In older versions of PHP (prior to PHP 5.4.0), safe mode restricted the execution of external binaries.
Furthermore, the backtick operator only returns the standard output
(stdout) of the command. If the command fails, it will not return the
standard error (stderr) unless you redirect the error output in the
command itself (e.g., cmd 2>&1).
Security Best Practices
Executing shell commands using user-supplied data poses a massive security risk known as Command Injection. If an attacker can manipulate the input passed into the backticks, they can execute arbitrary commands on your server.
Never pass raw user input directly into the backtick operator. Always
sanitize and escape the input using escapeshellarg() or
escapeshellcmd().
<?php
// Unsafe: Vulnerable to command injection
$userInput = $_GET['folder'];
$output = `ls -la $userInput`;
// Safe: Escaping the argument before execution
$userInput = $_GET['folder'];
$safeInput = escapeshellarg($userInput);
$output = `ls -la $safeInput`;
?>