Cannot pass double-quoted arguments to php shell

Question

I have a long string which consists of command line arguments. The arguments have been wrapped in double-quotes. When I pass in the command to exec, nothing happens. I tried passing the string in escapeshellarg() before passing into exec, but it had no effect.
The string is as follows:

/usr/bin/python3 /home/johndoe/src/crm_api.py "jack" "london" "jack@yahoo.com" "09061414145" "No. 1, George St. Ave., CA, USA" "California" "CA" "2222222222" "United States" "$2y$10$U81IfXi7r7hx4xggYTpcJesRblqTKrGAbgM388/v0pH.qtOfLVLfi"

The code using the string is as follows:

    $command = "/usr/bin/python3 /home/johndoe/src/crm_api.py " .
            $crm_first_name . " " .
            $crm_last_name . " " . $crm_email . " " . $crm_phone . " " .
            $crm_address . " " . $crm_city . " " . $crm_state . " " .
            $crm_zip . " " . $crm_country . " " . $crm_password;

    echo '<script>console.log(\'' . $command . '\');</script>';


    echo $command;
    echo '<script> alert(\'' . $command . '\');</script>';
    $cResult = exec($command);
    echo '<script>console.log(' . $cResult . ');</script>';

Answer 1

Yes, escapeshellarg() is the tool to escape shell arguments. E.g.:

$script = '/usr/bin/python3 /home/johndoe/src/crm_api.py';
$args = [
    $crm_first_name,
    $crm_last_name,
    $crm_email,
    $crm_phone,
    $crm_address,
    $crm_city,
    $crm_state,
    $crm_zip,
    $crm_country,
    $crm_password,
];
$command = $script . ' ' . implode(' ', array_map('escapeshellarg', $args));

(You could also apply it to the script path itself but it isn't necessary here since it's hard-coded.)

Demo