On 01Apr2013 20:26, John Gordon <gor...@panix.com> wrote: | In <0c9717ca-52dd-49ce-8102-e14328838...@googlegroups.com> cev...@gmail.com writes: | > someip = '192.168.01.01' | > var1 = 'lynx -dump http://' + someip + '/cgi-bin/xxxx.log&.submit=+++Go%21+++ > junk' | | '&' is a special character in shell commands. You'll need to quote or | escape it.
Or better still, use the subprocess module and avoid going via the os.system() altogether: http://docs.python.org/2/library/subprocess.html#popen-constructor If you must go via the os.system(), write yourself a generic function to quote a string for the shell, and to quote a bunch of strings (essentially " ".join( quoted-individual-strings )). And use it rigorously. Anything else is asking for shell injection attacks/errors, just as bad as hand constructing SQL statements. For example, if I must construct a shell command from arbitrary strings (like your URL) I use quote() from this: https://bitbucket.org/cameron_simpson/css/src/tip/lib/python/cs/sh.py That code's nothing special, just what I rolled some years ago for exactly this purpose. The core lesson is: never waste time figuring out _whether_ you need to treat shell strings specially. Just treat them specially and consistently and be safe. Cheers, -- Cameron Simpson <c...@zip.com.au> -- cat: /Users/cameron/rc/mail/signature.: No such file or directory The Design View editor of Visual InterDev 6.0 is currently incompatible with Compatibility Mode, and may not function correctly. - George Politis <geo...@research.canon.com.au>, 22apr1999, quoting http://msdn.microsoft.com/vstudio/technical/ie5.asp -- http://mail.python.org/mailman/listinfo/python-list
