0

I am trying to make a php script to change Active Directory User passwords by executing powershell. http://pastebin.com/XYvSFjPv - for those that wish to look

Ran into a problem escaping quotes " and ' My goal is to make full use of all characters (utf08 standard) including quotes as I've been through many websites of how to escape and still not come to a satisfactory result. I would like some help in escaping these characters if at all possible because I have found no function to easily escape characters.

I am running this script on a Windows 2008 server with IIS 7, PHP 5.4 and Powershell v1.0

and by observation the command shell_exec() sends to command-line which in turn starts up powershell (I am not sure if i have to double escape to make this work.)

And to make sure it's clear I would like to escape the following characters ' and " for Powershell v1.0 using the shell_exec() command.

vonPryz
  • 22,996
  • 7
  • 54
  • 65
Werezwolf
  • 51
  • 7

1 Answers1

1

The simplest way to pass complex arguments to Powershell is to use the -EncodedCommand switch. It takes a Base64 encoded parameter string. No escaping is needed for the quotes or any other weird characters for that matter. This has been discussed in other posts. Php's got a base64_encode() function that should work.

Community
  • 1
  • 1
vonPryz
  • 22,996
  • 7
  • 54
  • 65
  • Will this disarm injection attacks as well? – Werezwolf Nov 12 '14 at 22:39
  • @Werezwolf *No*, it will not. Base64 will preserve the input. Powershell will get input without worrying about `{`, `"` and the like. Sanity checks and sanititzing input must be done with other techniques. – vonPryz Nov 13 '14 at 06:52
  • I belive this is apart of my answer but not the total. Ive enforced in php utf8 charictors and i am going to continue to manualy escape charictors. For i havent found a function for it. This answer should solve any problems passing it through command line as shell_exce() runs cmd. – Werezwolf Nov 16 '14 at 00:22
  • And i aslo apoligise for my english for its not my strong point. XD – Werezwolf Nov 16 '14 at 00:24