0

I have var="arg1"" arg2"" arg3" and I want to use it against a a command as such below

java $VAR"

And the above works, but I read that the safer way for variable substitution is quoting it and hence I tried

java "$VAR". The problem with this is that all the arguments get treated as one argument.

I read a lot of solutions that talk about using arrays, but that is limited to Bash like shells. Some talked about eval but from the number of comments to that I have come to know it's insecure. Some talked about setting a different IFS - I thought about reading IFS and using that to separate my args in $VAR. But the IFS on that system already had space in it.(So at a loss here about that).

Is there a cross-shell approach to achieve what I want, in a safe way? Or should I roll back to just java $VAR

Sam Thomas
  • 647
  • 7
  • 25
  • *How* cross-shell? Portable to ksh, zsh and bash (but not `/bin/sh`), you have arrays, which are *really* the Right Thing. There's a *reason* everyone else supports arrays -- because you *need* them to write correct code. – Charles Duffy Jan 14 '20 at 22:59
  • Well if I leave it as unquoted variable, it will work everywhere right? – Sam Thomas Jan 15 '20 at 00:38
  • ...only for a very limited value of "work". See [BashFAQ #50](https://mywiki.wooledge.org/BashFAQ/050) describing the limitations. – Charles Duffy Jan 15 '20 at 00:43
  • Honestly, it's *possible* to use `eval` safely, it's just a lot of trouble to go through to get all the details right. (For example, Python's `shlex.quote()` function or its Python-2 predecessor `pipes.quote()` can generate strings that are safely `eval`able by any POSIX-compliant shell, but you then need to do the work of getting your pushed through a Python interpreter running the appropriate transform before any situation where it could possibly be substituted into code). – Charles Duffy Jan 15 '20 at 00:45
  • @CharlesDuffy Agreed. Thanks for Bash FAQ, wonderful read. – Sam Thomas Jan 15 '20 at 00:52

0 Answers0