1

I would assume that wrapping user input in 'single quotes' or "double quotes" would make input be interpreted literally. I believe that ' single quotes ' do not allow escape characters and would be the better choice. Basically I have read some sources that state this even is not enough. Could anyone explain why? And possibly what I could do to prevent this/resources that explain it well/clearly?

Hypothetically, would wrapping ' user input ' in double quotes and checking for any single quotes inside the user input like ' user';ls;'input' to be escaped/removed be enough to prevent this?

I have been confused by the articles I have read and am looking for some more simply explained information.

Thanks in advance

luma09
  • 21
  • 3
  • The only interpretation done when you expand a variable outside quotes is wildcard expansion and word splitting. Other special characters are not processed, so it won't execute the variable as a command. Quotes are not processed, so there's no problem with nested quotes. – Barmar May 03 '23 at 21:08
  • Unless you execute the variable with `eval`. – Barmar May 03 '23 at 21:09
  • 4
    In general, you need to understand *every step* in how the string is processed. Wrapping variable references in double-quotes is generally the best practice (variables don't expand in single-quotes, so if the string is in a variable, you can't use those), but that's not always the whole story. See my previous answers to questions like this [here](https://security.stackexchange.com/questions/245465/are-positional-parameters-vulnerable-to-command-injection/245491) and [here](https://stackoverflow.com/questions/72971590/bash-test-injection-vulnerability-with-v/72972332) for examples. – Gordon Davisson May 03 '23 at 21:44
  • 3
    @Barmar https://stackoverflow.com/questions/17529220/why-should-eval-be-avoided-in-bash-and-what-should-i-use-instead - in particular: https://www.vidarholen.net/contents/blog/?p=716 – jhnc May 03 '23 at 21:49
  • 4
    For detailed information about ways that [Code injection](https://en.wikipedia.org/wiki/Code_injection) can occur with Bash code, and what to do about them, see [BashProgramming/05 (Avoiding code injection) - Greg's Wiki](https://mywiki.wooledge.org/BashProgramming/05). It doesn't cover code injection with namerefs though. See the [answer by Stephane Chazelas](https://unix.stackexchange.com/a/637386/264812) to [Why does substituting eval with declare (for creating dynamic variables) result in an empty variable?](https://unix.stackexchange.com/q/637379/264812). – pjh May 04 '23 at 00:14

0 Answers0