I would like to pass some user-provided arguments to the application (using C # on Windows).
The arguments are in the NameValueCollection, and I want to pass them as a string so that the application can be called using the provided arguments and called using ProcessStartInfo:
ProcessStartInfo startInfo = new ProcessStartInfo(); startInfo.UseShellExecute = true; startInfo.FileName = executableName; startInfo.Arguments = arguments; startInfo.Verb = "runas"; Process p = Process.Start(startInfo);
This part is well documented and very simple.
However, due to the nature with which these arguments will be built in my script (the user may have put it through a URL that is so easily maliciously created), I want to be sure that they are correctly escaped (for example, no one can entering an escape character or quote, which will result in calling another application or performing another action).
I want to be sure that there is no risk of entering commands from characters in the name or value of the argument. I do not understand if I should try to escape from any characters or not, and / or if an existing function exists for this.
I am mainly from the background of Mac and Unix, and Iām not sure if this is even an actual problem when it comes to calling an application through ProcessStartInfo, but it seems reasonable to be paranoid and ask for advice wiser.
c # escaping command-line-arguments
Iain collins
source share