[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mysqldump usage in bash
|
From: |
Greg Wooledge |
|
Subject: |
Re: mysqldump usage in bash |
|
Date: |
Fri, 28 Aug 2009 10:55:28 -0400 |
|
User-agent: |
Mutt/1.4.2.3i |
On Fri, Aug 28, 2009 at 07:06:52AM -0700, Arenstar wrote:
> What effects can eval have? that i am unaware of. In fact ive never used
> eval before, it just wasnt neccessary..
> Thank you for your interesting reply
>
> query="mysqldump -h $DBSource -u rxxxxx -pxxxx $DB $TABLE --where '$Field >
> $(($IDstart-1)) and $Field < $(($IDend+1))' > ./tmp/$TABLE$Dumpname"
> eval $query
imadev:~$ DB='MyRealDB $(date >/dev/tty)'
imadev:~$ query="mysqldump -h $DBSource -u rxxxxx -pxxxx $DB $TABLE --where
'$Field > $(($IDstart-1)) and $Field < $(($IDend+1))' > ./tmp/$TABLE$Dumpname"
imadev:~$ eval $query
Fri Aug 28 10:49:12 EDT 2009
bash: ./tmp/: Is a directory
As you can see, it executed the "date" command that I placed in the DB
variable. Now imagine I had put "rm -rf /" in there instead. Or not
redirected it to /dev/tty so I could see it. Or ....
Since eval causes the parser to read the command a second time AFTER
parameters have already been expanded, it will potentially execute
code contained in those parameters. This means you have to sanitize
all your variables and other substitutions to make them "eval safe".
This is where the headaches start.
In addition to the eval discussion, your quoting is... potentially odd.
You're executing all the substitutions (such as $IDend + 1) at the time
you assign to the query variable, NOT at the time you eval $query.
This may or may not be what you intended.