Safe Shell String Interpolation

No love for Python&#x27;s shlex.quote[1] or their equivalents in other languages to quote arguments for shell? In his case, which is interpolating a variable inside a shell double-quoted string, I would probably use environment variables, or else use shell `printf` with `shlex.quote`. But generally I interpolate directly into the command line using `shlex.quote`, when I can&#x27;t avoid executing using the shell.<p>I was happy to learn about Python&#x27;s template string proposal (i.e., t-strings) from <a href="https:&#x2F;&#x2F;peps.python.org&#x2F;pep-0750&#x2F;" rel="nofollow">https:&#x2F;&#x2F;peps.python.org&#x2F;pep-0750&#x2F;</a>, although it probably won&#x27;t become common for a while.<p>[1] <a href="https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;shlex.html#shlex.quote" rel="nofollow">https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;shlex.html#shlex.quote</a>

Pipeline in Python w&#x2F;o invoking the shell:<p><pre><code> username = input(&quot;Hello, what&#x27;s your name? &quot;) p1 = Popen([&quot;figlet&quot;, f&quot;Welcome, {username}&quot;], stdout=PIPE) p2 = Popen([&quot;lolcat&quot;, &quot;-f&quot;], stdin=p1.stdout, stdout=PIPE) p1.stdout.close() # Allow p1 to receive a SIGPIPE if p2 exits. banner = p2.communicate()[0] print(banner) </code></pre> <a href="https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;subprocess.html#replacing-shell-pipeline" rel="nofollow">https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;subprocess.html#replacing-...</a><p>Don&#x27;t use the shell unless you absolutely have to, and when you do have to, use shlex.quote for quoting arguments:<p><a href="https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;shlex.html#shlex.quote" rel="nofollow">https:&#x2F;&#x2F;docs.python.org&#x2F;3&#x2F;library&#x2F;shlex.html#shlex.quote</a><p><pre><code> username = input(&quot;Hello, what&#x27;s your name? &quot;) banner = check_output(f&quot;figlet &quot;Welcome, {quote(username)}&quot; | lolcat -f&quot;, shell=True) print(banner) </code></pre> For something this simple, you could also just use `subprocess.check_output` twice:<p><pre><code> username = input(&quot;Hello, what&#x27;s your name? &quot;) banner = check_output([&quot;figlet&quot;, f&quot;Welcome, {username}&quot;]) banner = check_output([&quot;lolcat&quot;, &quot;-f&quot;], input=banner) print(banner)</code></pre>

This is one reason why, really, nobody should use a shell that was optimized for commandline use, for scripting.<p>On the commandline, all your inputs are usually known and trusted, so the shell language will take a few shortcuts to make everything more convenient for the user. But of course, when scripting, these assumptions don&#x27;t hold and you need a language with more notational rigor.<p>Bash et al. are dangerous scripting languages, and they become even more dangerous when users (who typically don&#x27;t want to understand the subtleties) start using LLMs to generate code for them.