[GRASS-dev] bug in v.db.renamecol [was: Re: [GRASS-user] Rename
multiple sqlite columns at once]
Hamish
hamish_b at yahoo.com
Wed Nov 19 07:35:52 EST 2008
Moritz wrote:
> Don't think that table names can have spaces
it doesn't matter if they can really have spaces, it matters if a user who
thinks they could have spaces tries that. The goal is that the module
does not fail in a bizzare way in that case, but with a useful error
message from the correct place.
if modules are run live from the web, an unquoted variable could include
something like table="dbf; run_evil_command; #", and without quoting
they have all the shell access they want. (well, I'm not totally sure
about that, but it scares me enough to be pedantic about it for shell
scripts)
Hamish
ps- "${var}" is a little overkill, I think "$var" is fine. and I'm not
sure if "" around VAR=`` is needed, or if that causes problems if interior
command also contains "". ??
More information about the grass-dev
mailing list