escape string for command line

Ksenia Marasanova ksenia.marasanova at gmail.com
Sat Jan 8 22:26:01 CET 2005


> >
> > I was wondering, is there a general way to escape the string entered
> > by the user, to prevent code injection into command line?
> 
> Take a look at the "string-escape" encoding:
> 
> >>> evil = "'; rm -rf /;"
> >>> command = "echo '%s'"
> >>> print command % evil.encode('string-escape')
> echo '\'; rm -rf /;'

Cool, thanks! Next time I'll study stdlib better before asking the question :)

-- 
Ksenia



More information about the Python-list mailing list