Hi all.

I don't know if this is really a programming question, it's more about how to do parameter handling safely in scripts.

I have a script that takes one parameter that's supposed to be a filename, e.g.:

#!/bin/bash
echo $1 >logs/processed-files.log
tar -rf tarfiles/stuff.tar $1

This failes when there is a space in a filename. So a dirty fix is to use "$1" instead. But what about e.g.
./myscript.sh "\" ; rm * ; \""

PHP has a function called EscapeShellArg for this, so I guess it's a common problem.

What's the proper Unix way of doing this? Some sed magic?

Best regards,
Guttorm

You're more or less protected with system permissions.

As I can see, it is not a security problem here, as if the user who run your program
has the right to do this, he has also the right to run it directly in the shell.

If you want to run it as CGI, you have to conform with CGI standards and add
a security checking for the program parameter but as the script is run by apache
user and if apache is correctly configured (and permissions for Document Root too)
the risks are minimal