This question talks about using the system command and passing variables. Here is an example it gives:
string cmd("curl -b cookie.txt -d test=");
cmd += line;
cmd += " http://example.com";
system(cmd.c_str());
One of the comments mentions that if line was passed and contained foo & fire_nukes.exe & REM then it's quite possible something bad could happen.
PHP has a great function called escape_shell_args which can be used to escape parameters that are being passed to the program. Does C++ have a way to do that?
The best way is not to use system() at all. Use fork() and exec() and friends.
Here's an example:
#include <string>
#include <unistd.h>
#include <error.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <cstdlib>
int fork_curl(char *line)
{
std::string linearg("line=");
linearg += line;
int pid = fork();
if(pid != 0) {
/* We're in the parent process, return the child's pid. */
return pid;
}
/* Otherwise, we're in the child process, so let's exec curl. */
execlp("curl", "-b", "cookie.txt", "-d", linearg.c_str());
/* exec is not supposed to return, so something
must have gone wrong. */
exit(100);
/* Note: You should probably use an exit status
that doesn't collide with these used by curl, if possible. */
}
int main(int argc, char* argv[])
{
int cpid = fork_curl("test");
if(cpid == -1) {
/* Failed to fork */
error(1, errno, "Fork failed");
return 1;
}
/* Optionally, wait for the child to exit and get
the exit status. */
int status;
waitpid(cpid, &status, 0);
if(! WIFEXITED(status)) {
error(1, 0, "The child was killed or segfaulted or something\n");
}
status = WEXITSTATUS(status);
/* Status now contains the exit status of the child process. */
}
Never pass user input into a system call. Ever.
You can try to escape all the characters that you think are dangerous, but you will get it wrong.
Instead, go at it from the other direction: let the user provide any of a selection of inputs that you define, then do a switch and build your own system call from scratch.
Admittedly this gets a little tricky when the input to the command-line application to invoke is freeform but, well, that's what actual libraries are for. libcurl, anyone?
You could try execl..
http://linux.about.com/library/cmd/blcmdl3_execvp.htm
#include <unistd.h>
int execl(const char *path, const char *arg, ...);
See the man page listing all syscalls (system calls are not the system(3) function which forks a shell).
Read more about system calls and linux kernel, and the overall organization of operating systems
Back to your question, you could quote for the shell (just follow the shell escape rules to transform your strings; for example prefix any non-letter character with a backslash).
See also the man pages of fork, execve, etc.
Read a good book on advanced linux programming and the famous Advanced Unix Programming
Use the freedom of most of the software on a Linux distribution. For example, you could study the source code of a simple shell like sash.
And perhaps you just want to use curl. Then the best way is to code for the libcurl library (without any call to system(3))
Have fun learning all this!
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 叛逆 的文章《How can I escape variables sent to the 'system》','https://www.manongdao.com/article-440438.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}