User input into Bash scripts and checking validity of user input??
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
User input into Bash scripts and checking validity of user input??
Hello,
I write quite a few little bash scripts to do all sorts of funky stuff, the problem is they would be in an un-secure state ie. when reading or making use of user input into a script, i haven't checked for what the user has inputted into the script. Therefore obviously leaving open security whole that the script could end up doing other things i dont want it to do. Whats the best way in bash to be validating user input to reduce the chances of this happening. Read in a user input or when starting a script with an argument ./script argument
this argument isn't validated so it could be :-
yes my name is me;rm -Rf /*
So its basically reducing what could happen, therefore i gues one thing to do would be to check for occurrences of ';' in any user input, whatelse and how should i do this??
I doubt that a user's input can be executed as a command. If you use the read statement all the input line is stored in a variable and most likely your script does not simply eval that variable. If input is passed as arguments, you can do all the checks you need, but again you will not simply eval the arguments, won't you?
ooo, sorry i thought it was some term i've not heard of yet :-) yeah now that makes sense. But there must still be some method i could use to check some possible incorrect input that could cause a problem like the one i've sugested?
Cheers
IMHO you should ensure user input remains inert, not executed. There's probably a Gogolplex of docs around about input sanitation I haven't tried to find but AFAIK input sanitation in the sense of "blacklisting" requires you to safeguard against every known iteration and every loophole which is inefficient and unsafe because you don't cover everything, you can be sure of *that*. Input sanitation in the "whitelisting" sense (only allowing a few options) is relatively safer because it is more restrictive (sudo-like). So you could 'declare -r goodChars="1234567890-_.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"' then 'scrubbedString="${userInput//[^$goodChars]/}"'. Doing something like 'declare -r badChars=";:,.[]{}<>" leads to frustration. Frustration leads to anger, and we all know what anger leads to :-]
IMHO you should ensure user input remains inert, not executed.
I subscribe to this. It is what I meant in my first post (thanks Unspawn for summarizing).
You should know a priori what a user's input should be and check it accordingly. If you expect a random sequence of characters, never execute it. Actually I cannot figure out a script that accepts commands as input: if the user can execute the script, most likely he can execute any command (unless he runs in a restricted shell). On the other hand if the user is meant to drive how the script works, you may use options (see getopts).
Returning to your original question (how to check if a string contains a semi-colon) you can use the method suggested by Unspawn (I would add also a blank space in the list of good characters) and check if a string contains any unwanted character. Or simply do a literal
I was working on something similar, and used "tr" to strip all non-alphanumeric characters from the input. The following example also allows for spaces and tries to avoid shell expansion in handling of the variables.
Code:
#!/bin/bash
echo "Enter variable: "
read VAR_INPUT
# Sanitize input and assign to new variable
export VAR_CLEAN="`echo "${VAR_INPUT}" | tr -cd '[:alnum:] [:space:]'`"
echo "New Variable: ${VAR_CLEAN}"
You can also limit the number of characters to ten with "cut -c -10", etc, etc. The sky's the limit.
Hope this is useful for others. All improvements to the code welcome!
Gilbert Mendoza
Last edited by gmendoza; 07-09-2008 at 01:50 PM.
Reason: minor syntax issue
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.