PHP, before version 4.2, didn't provide any execl(3)-like or execv(3)-like methods to invoke external programs, thus everything goes trough /bin/sh -c and we are forced to quote arguments. To make it worse escapeshellarg() behaves badly (IMHO) with an empty string: The following function is a wrapper to system(), and it can be adapted to popen(),exec(),shell_exec():