C function to escape string for shell command argument?

Replacing all instances of ' with '\'' then enclosing the whole string in single quotes (') is one safe way. This works even with embedded newlines. Another method would be to insert \ before each character, except that then you have to do some special treatment for newlines since \ followed by a newline is ignored by the shell, not treated as a literal newline. You'd have to surround newlines with ' (single quotes).

There is no predefined function.

However, I believe it's sufficient to just enclose any shell argument in single quotes, and making sure that single quotes are escaped.

That's the logic of the escapeshellarg function in PHP and I believe it works reasonably well.

C is not my language of choice, but here's what I came up with (having to answer the same question, myself).

#include <stdio.h>     // sprintf
#include <stdlib.h>    // malloc
#include <string.h>    // strlen

char* escapeshellarg(char* str) {
    char *escStr;
    int i,
        count = strlen(str),
            ptr_size = count+3;

    escStr = (char *) calloc(ptr_size, sizeof(char));
    if (escStr == NULL) {
        return NULL;
    }
    sprintf(escStr, "'");

    for(i=0; i<count; i++) {
        if (str[i] == '\'') {
                    ptr_size += 3;
            escStr = (char *) realloc(escStr,ptr_size * sizeof(char));
            if (escStr == NULL) {
                return NULL;
            }
            sprintf(escStr, "%s'\\''", escStr);
        } else {
            sprintf(escStr, "%s%c", escStr, str[i]);
        }
    }

    sprintf(escStr, "%s%c", escStr, '\'');
    return escStr;
}

Given escape'this', it will output 'escape'\''this'\''', which can then be passed to echo.

$ echo 'escape'\''this'\'''
escape'this'