[km6GEwiQqsyEKQH]

Escaping shell arguments is still fighting self-erected bugstacles. Why run the sub process in a shell in the first place? Why make a string out of your argument list for the shell to parse it back to a list to finally call the process? Just exec the program directly with the argument list and do not escape anything. Just skip the dance of serializing your arguments to a string.

[__david__]

Unfortunately, PHP is the one scripting language that doesn't have direct exec() support! escapeshellarg() is the only tool they give you and it requires you to not shoot yourself in the foot. Even perl has multi arg system() that execs directly.

[pilif]

there is pcntl_exec for that. Unfortunately it can be (and often is) disabled and thus not widely used.