As per an answer on stackoverflow, it's my understanding that encapsulating bash variables in double-quotes is a fairly safe way of sanitizing user input.
What about awk variables? For example, if I have something like:
awk -v SOURCEIP="$SOURCEIP" -v REVERSEDNS="$REVERSEDNS" '{
gsub(/^_TMPSOURCEIP_/, SOURCEIP);
gsub(/^_TMPREVERSEDNS_/, REVERSEDNS);
print
}' /home/foo/footemplate
Should I put quotes around the variable in the gsub lines? So it would then look like:
awk -v SOURCEIP="$SOURCEIP" -v REVERSEDNS="$REVERSEDNS" '{
gsub(/^_TMPSOURCEIP_/, "SOURCEIP");
gsub(/^_TMPREVERSEDNS_/, "REVERSEDNS");
print
}' /home/foo/footemplate
Or does this not make a difference?
Best Answer
These two examples demonstrate the difference:
When
VAR
is unquoted,awk
treats it as a variable with the valuesome "text"
. WhenVAR
is inside quotes, awk treats it as a three-character string.MORE:
bash
has sanitizing issues. Consider:The above will erase
important_file
. In this way,bash
is like a macro language: it will substitute for a variable and then try to execute the result.awk
is different. Consider:awk
treatsVAR
like mere text, not like potential commands to execute.Problems can arise, however, if one lets
bash
modify theawk
script. In my examples above, theawk
scripts were all in single-quotes. That preventsbash
from messing with them.