Consequences of not quoting variables
Posted: Sun May 10, 2026 9:52 pm
They say you should put quotes around variables, to protect the strings from re-interpretation or missing strings causing the wrong context for a path (e.g. rm -rf /). I often don't bother, when it's just a simple script. I mean, nobody is going to be trying to inject anything into my scripts, they are just for my own use etc.
For a while I've been using a simple command in a little script to fetch Arch PKGBUILDs (./PKGBUILD-get pkgname)
That worked just fine, I used it for a long time, but then I got tired of renaming the old build dirs out of my way manually. (I keep pkgname_old because I have to edit the PKGBUILD files for the new one etc.)
In this case, the coreutils (rm, mv) commands don't get the variable expanded, but the git command still does. Funny how those differ in interpretation.
It fails horribly. The git command still works (but doesn't in this case because the directory didn't get rm -rf'd first... but it's got the variable expanded correctly, glibc)
I took out the output squelching rm -rf and >/dev/null to demonstrate (otherwise it will just silently fail)
So now I've got quotes out the wazoo, and it works as intended. (it works if I only quote "$1" but best practice is to quote all variables from now on)
Single quotes and double quotes have to be used correctly too, for an example that comes to mind... the source array in a PKGBUILD. Arch would use single quotes for each element in the array, EXCEPT when variables have to be expanded. Thus, this doesn't work... it will literally try to use $pkgver
It needs to be like this:
The moral of the story is, don't be lazy... quote your fucking variables!
For a while I've been using a simple command in a little script to fetch Arch PKGBUILDs (./PKGBUILD-get pkgname)
Code: Select all
#! /bin/sh
PKG=$1
git clone https://gitlab.archlinux.org/archlinux/packaging/packages/$PKG.gitCode: Select all
#! /bin/sh
PKG=$1
rm -rf $PKG_old > /dev/null 2>&1
mv $PKG $PKG_old > /dev/null 2>&1
git clone https://gitlab.archlinux.org/archlinux/packaging/packages/$PKG.gitIn this case, the coreutils (rm, mv) commands don't get the variable expanded, but the git command still does. Funny how those differ in interpretation.
It fails horribly. The git command still works (but doesn't in this case because the directory didn't get rm -rf'd first... but it's got the variable expanded correctly, glibc)
I took out the output squelching rm -rf and >/dev/null to demonstrate (otherwise it will just silently fail)
Code: Select all
[grogan@nicetry ~]$ ./PKGBUILD-get glibc
rm: missing operand
Try 'rm --help' for more information.
mv: missing destination file operand after 'glibc'
Try 'mv --help' for more information.
fatal: destination path 'glibc' already exists and is not an empty directory.Code: Select all
#! /bin/sh
PKG="$1"
rm -rf "$PKG"_old > /dev/null 2>&1
mv "$PKG" "$PKG"_old > /dev/null 2>&1
git clone https://gitlab.archlinux.org/archlinux/packaging/packages/"$PKG".gitSingle quotes and double quotes have to be used correctly too, for an example that comes to mind... the source array in a PKGBUILD. Arch would use single quotes for each element in the array, EXCEPT when variables have to be expanded. Thus, this doesn't work... it will literally try to use $pkgver
Code: Select all
source=('llvm-project-$pkgver-checkout.tar.gz' 'blah.whatever')Code: Select all
source=("llvm-project-$pkgver-checkout.tar.gz" 'blah.whatever')The moral of the story is, don't be lazy... quote your fucking variables!
