lhunath 1312549026 learn Only combine two strings when they are of the same context. Eg. do NOT inject data into mysql/sed/awk/perl/.. code. If you do, breakage WILL follow, and anybody that controls the data can execute arbitrary code. lhunath 1314567048 forget lhunath 1314567186 learn Only EVER combine two strings when you're CERTAIN they are of the same context. Eg. do NOT put data and code together in a bash/mysql/sed/... command. In bash, you can convert your data to code like this: printf 'rm %q' "$file" lhunath 1314567275 forget lhunath 1314567323 learn Only EVER combine two strings when you're CERTAIN they are of the same context. Eg. do NOT put data and code together in a bash/mysql/sed/... command. In bash, you can convert your data to code that represents your literal data using printf: printf 'rm %q' "$file" lhunath 1370525978 forget lhunath 1370526075 learn Always avoid injecting data into code. Only EVER combine two strings when you're CERTAIN they are of the same context. Eg. do NOT put data and code together in a bash/mysql/sed/... command. Try /msg greybot ![lang]quote to learn how to convert literal data into [lang] code for safe injection. (eg. !shquote, !requote) lhunath 1385151908 forget lhunath 1385152105 learn NEVER combine two strings of a different context. First, convert them to be of the same context. BAD: ssh host "rm $file" GOOD: ssh host "$(printf 'rm %q' "$file")" - BAD: mysql <<< "INSERT Students SET Name=$name" GOOD: mysql <<< "INSERT Students SET Name=$(mysqlquote "$name")" - Try ![lang]quote (eg. !shquote, !requote, !urlquote, ...) lhunath 1385152224 forget lhunath 1385152352 learn NEVER combine two strings of a different context. First convert them to the target context. BAD: ssh host "rm $file" GOOD: ssh host "$(printf 'rm %q' "$file")" - BAD: mysql -e "INSERT Students SET Name=$name" GOOD: mysql -e "INSERT Students SET Name=$(mysqlquote "$name")" - Try ![lang]quote (eg. !shquote, !requote, !urlquote, ...) greycat 1503003969 forget greycat 1503003971 learn Don't pass user-supplied data in a context where it could be interpreted as code. BAD: ssh host "rm $file"; GOOD: ssh host "$(print 'rm %q' "$file")"; see http://mywiki.wooledge.org/BashProgramming/05 greycat 1503004048 forget greycat 1503004058 learn Don't pass user-supplied data in a context where it could be interpreted as code. BAD: ssh host "rm $file"; GOOD: ssh host "$(printf 'rm %q' "$file")"; see http://mywiki.wooledge.org/BashProgramming/05 greycat 1664317801 forget greycat 1664317803 learn Don't pass user-supplied data in a context where it could be interpreted as code. BAD: awk "/$input/{print \$1}"; BETTER: awk -v inp="$input" '$0 ~ inp {print $1}'; See https://mywiki.wooledge.org/CodeInjection