{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 怪性笑人. 的问题《Expansion of variable inside single quotes in a co》','https://www.manongdao.com/q-3955.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to run a command from a bash shell script which has single quotes and some other commands inside the single quotes and a variable.
e.g. repo forall -c '....$variable'
In this format, $ is escaped and the variable is not expanded.
I tried the following variations but they were rejected:
repo forall -c '...."$variable" '
repo forall -c " '....$variable' "
" repo forall -c '....$variable' "
repo forall -c "'" ....$variable "'"
If I substitute the value in place of the variable the command is executed just fine.
Please tell me where am I going wrong.
just use printf
instead of
use printf to replace the variable token with the expanded variable.
For example:
Does this work for you?
Below is what worked for me -
Variables can contain single quotes.
Inside single quotes everything is preserved literally, without exception.
That means you have to close the quotes, insert something, and then re-enter again.
As you can verify, each of the above lines is a single word to the shell. String concatenation is simply done by juxtaposition. Quotes (single or double quotes, depending on the situation) are used to disable interpretation of various special characters, like whitespace,
$,;... For a good tutorial on quoting see Mark Reed's answer. Also relevant: Which characters need to be escaped in bash?Do not concatenate strings interpreted by a shell
You should absolutely avoid building shell commands by concatenating variables. This is a bad idea similar to concatenation of SQL fragments (SQL injection!).
Usually it is possible to have placeholders in the command, and to supply the command together with variables so that the callee can receive them from the invocation arguments list.
For example, the following is very unsafe. DON'T DO THIS
If the contents of
$myvaris untrusted, here is an exploit:Instead of the above invocation, use positional arguments. The following invocation is better -- it's not exploitable:
Note the use of single ticks in the assignment to
script, which means that it's taken literally, without variable expansion or any other form of interpretation.EDIT: (As per the comments in question:)
I've been looking into this since then. I was lucky enough that I had repo laying around. Still it's not clear to me whether you need to enclose your commands between single quotes by force. I looked into the repo syntax and I don't think you need to. You could used double quotes around your command, and then use whatever single and double quotes you need inside provided you escape double ones.