On 10/3/07, tony.chamberlain@xxxxxxxxx <tony.chamberlain@xxxxxxxxx> wrote: > > > > I have to write some BASH scripts. > > We have all heard about security problems with shell variables > > (i.e. when entering a name someone enters something like "Tony; rm -rf > /root/*" ) > > so that if the BASH scripts echoes it will will do something like echo Tony; > rm -rf /root/*. > > > > Now we have honest users here, but I still want to do some checks. If I > read in or get a shell variable from a user > > I could do something like > > > > echo "$VAR" | grep '[^a-zA-Z/_-]' > > if [ $? -eq 0 ] > > then > > echo "You have entered a bad character" > > exit 1 > > fi > > > > but that still runs into the problem like above with the echo. I also could > do > > > > case "$VAR" in > > > > \;|\:) echo "you have a bad character" > > ;; > > > > esac > > > > > > but I am not sure that is best either. Is there anyway to validate shell > variables? > > I know Javascript, etc., has something like url_encode() > -- If all you are looking is to grab everything up to the first ; or : (anything after is deemed invalid) you could use string manipulation. Test it out as follows: read name; echo ${name%%+(;|:)*} It will echo everyting to the first ; or : (omitting the invalid character and everything after. This will only work if you have extglob enabled as shopt. If this does what you want, you can assign the value of your variable using that string manipulation, hence cutting out the ; or : and everything after. No testing conditions. If there are other characters you wish to exclude simply add them in the patter by separating each with the pipe |. Type shopt to see your shell options. See if extglob is on. If not, you can turn it on with shopt -s extglob You can later unset that option with shopt -u extglob. Of course you'll likely want your script to save the setting for extglob at the start, set it on for the script, then reset it back to what it was after. Jacques B.