char * S = "hello"; // assume it's dynamically allocated correctly
char * S =“你好”; //假设它是动态分配的
I want to use S in the below statement when S would be treated as a string with the value "hello".
当S被视为值为“hello”的字符串时,我想在下面的语句中使用S.
system("grep S searchtext.txt > result.txt");
system(“grep S searchtext.txt> result.txt”);
How do I do this?
我该怎么做呢?
3 个解决方案
#1
1
In plain C, you traditionally use snprintf() to format your command line string into a buffer:
在普通的C中,传统上使用snprintf()将命令行字符串格式化为缓冲区:
char buf[1024];
snprintf(buf, sizeof(buf), "grep '%s' searchtext.txt > result.txt", S);
system(buf);
Of course, for security reasons, you should never do that if S comes from an external source such as a file, a database, or the user himself. That could lead to shell code injection.
当然,出于安全原因,如果S来自外部源,例如文件,数据库或用户本人,则不应该这样做。这可能导致shell代码注入。
#2
8
In general it's a very very bad idea to use system like this. system runs the command through the shell, meaning that the string you pass to system is subject to all of the shell's variable expansion, command expansion, special character interpretation, etc.
一般来说,使用这样的系统是一个非常糟糕的主意。 system通过shell运行命令,这意味着传递给系统的字符串受所有shell的变量扩展,命令扩展,特殊字符解释等的影响。
If you insist on using system, you must first sanitize your string. The easiest way to do that is:
如果您坚持使用系统,则必须先清理字符串。最简单的方法是:
char *tmp = malloc(4*strlen(S)+3);
tmp[0] = '\'';
for (i=0,j=1; tmp[j]=S[i]; i++, j++)
if (S[i]=='\'') tmp[++j]='\\', tmp[++j]='\'', tmp[++j]='\'';
tmp[j++] = '\'';
tmp[j++] = 0;
if (snprintf(cmd, sizeof cmd, "foo %s ...", tmp) >= sizeof cmd) goto error;
system(cmd);
This code single-quotes the whole string S and replaces any embedded single-quotes with '\''. Note that I also checked for command line truncation in case it could lead to execution of dangerous commands.
此代码单引号整个字符串S并用'\''替换任何嵌入的单引号。请注意,我还检查了命令行截断,以防它可能导致执行危险命令。
A better alternative would be to abandon system entirely and perform your own fork and exec to bypass the shell. Then there is no command line to be interpreted; you have full control over the arguments (*argv[] array) that are passed to the external program.
一个更好的选择是完全放弃系统并执行自己的fork和exec来绕过shell。然后没有要解释的命令行;您可以完全控制传递给外部程序的参数(* argv []数组)。
#3
0
Well there is system primitive -- execl, execp. So you can do this execl("ls", "-la", NULL) in main.
那么有系统原语 - execl,execp。所以你可以在main中执行execl(“ls”,“ - la”,NULL)。
#1
1
In plain C, you traditionally use snprintf() to format your command line string into a buffer:
在普通的C中,传统上使用snprintf()将命令行字符串格式化为缓冲区:
char buf[1024];
snprintf(buf, sizeof(buf), "grep '%s' searchtext.txt > result.txt", S);
system(buf);
Of course, for security reasons, you should never do that if S comes from an external source such as a file, a database, or the user himself. That could lead to shell code injection.
当然,出于安全原因,如果S来自外部源,例如文件,数据库或用户本人,则不应该这样做。这可能导致shell代码注入。
#2
8
In general it's a very very bad idea to use system like this. system runs the command through the shell, meaning that the string you pass to system is subject to all of the shell's variable expansion, command expansion, special character interpretation, etc.
一般来说,使用这样的系统是一个非常糟糕的主意。 system通过shell运行命令,这意味着传递给系统的字符串受所有shell的变量扩展,命令扩展,特殊字符解释等的影响。
If you insist on using system, you must first sanitize your string. The easiest way to do that is:
如果您坚持使用系统,则必须先清理字符串。最简单的方法是:
char *tmp = malloc(4*strlen(S)+3);
tmp[0] = '\'';
for (i=0,j=1; tmp[j]=S[i]; i++, j++)
if (S[i]=='\'') tmp[++j]='\\', tmp[++j]='\'', tmp[++j]='\'';
tmp[j++] = '\'';
tmp[j++] = 0;
if (snprintf(cmd, sizeof cmd, "foo %s ...", tmp) >= sizeof cmd) goto error;
system(cmd);
This code single-quotes the whole string S and replaces any embedded single-quotes with '\''. Note that I also checked for command line truncation in case it could lead to execution of dangerous commands.
此代码单引号整个字符串S并用'\''替换任何嵌入的单引号。请注意,我还检查了命令行截断,以防它可能导致执行危险命令。
A better alternative would be to abandon system entirely and perform your own fork and exec to bypass the shell. Then there is no command line to be interpreted; you have full control over the arguments (*argv[] array) that are passed to the external program.
一个更好的选择是完全放弃系统并执行自己的fork和exec来绕过shell。然后没有要解释的命令行;您可以完全控制传递给外部程序的参数(* argv []数组)。
#3
0
Well there is system primitive -- execl, execp. So you can do this execl("ls", "-la", NULL) in main.
那么有系统原语 - execl,execp。所以你可以在main中执行execl(“ls”,“ - la”,NULL)。