Is PHP backtick operator (` `) dangerous?

Posted by Ben Watson on 27th March 2020

So today I was doing a coding challenge where the objective was to achieve the desired functionality using the least number of bytes possible in one single line. I’d reached a point where I was making aesthetic changes. One of these aesthetic changes was using ` instead of “

Pointless, I know but it did cause me to stumble on some very strange PHP behaviour I was surprised to see.

If you don’t know already this symbol `, in PHP, is called the backtick operator. If you’re anything like me and been keeping an eye on the world of ES6 you’ll know that this symbol in Javascript is used for template literals. However, unlike Javascript backticks in PHP should absolutely not be used for templating or outputting any user input.

Why? Essentially because the backtick is an alias for the function shell_exec. While this is clearly described in the PHP docs, I imagine most people assume they’re similar to JS template literals therefore, safer for outputting user data but instead, it’s the complete polar opposite!

Hopefully all of you out there have spotted this issue already but if this is the first you’ve heard of it, maybe have a quick glance over some of your code to make sure you only really use it when needed.

Now, I used the word “issue” in the last paragraph, however, it seems not everybody agrees with me on this. A recent RFC rejected deprecating the exec functionality of the backtick operator with 26 to 11 in favour of not depreciating. Please let me know if you agree with the RFC and let me know if you think I’m naïve for thinking backtick was similar to js string literals.