escaping

I am attempting to start mplayer. My filename contains spaces and these should be escaped. This is the code I am using: @player_pid = fork do exec "/usr/bin/mplayer #{song.file}" end where #{song.file} contains a path like "/home/example/music/01 - a song.mp3" . How can I escape this variable properly (and possible other weird characters that the title may contain) so the terminal will accept my command? Shellwords should work for you :) exec "/usr/bin/mplayer %s" % Shellwords.escape(song.file) In ruby 1.9.x, it looks like you have to require it first require "shellwords" But in ruby 2.0.x, I

Consider: >>> sample = "hello'world" >>> print sample hello'world >>> print sample.replace("'","\'") hello'world In my web application I need to store my Python string with all single quotes escaped for manipulation later in the client browsers JavaScript. The trouble is Python uses the same backslash escape notation, so the replace operation as detailed above has no effect. Is there a simple workaround? Use: sample.replace("'", r"\'") or sample.replace("'", "\\'") As a general solution for passing data from Python to Javascript, consider serializing it with the json library (part of the

In the docs it says: The only exceptions are variables that are already marked as “safe” from escaping, either by the code that populated the variable, or because it has had the safe or escape filters applied." How does the "populated the variable" part work ? I'm actually looking for a way to declare a template tag as safe in the view. I somehow think it's not a good idea to let a designer decide. My co-worker will just add it whenever she 'thinks' it's a good idea. https://docs.djangoproject.com/en/dev/ref/templates/builtins/?from=olddocs Django has a subclass of strings called safe strings

I have an application where the values in the text field are sent to the database. For example I have a form with one field (text box). When I press Ok button then the content of the text field is inserted as a record into a table. I'm just trimming and extracting the text box's text into variable and passing it to my SQL string. The problem is that whenever something like "It's" or "Friend's" the single quote is identified as the end of string. In Delphi I have seen something like QuotedString to avoide this. Any ideas from you? Don't ever build SQL statements like that, it's very unsafe

So I know about MySQL injection and always escape all my user input before putting it in my database. However I was wondering, imagine a user tries to submit a query to inject, and I escape it. What if I then at a later moment take this value from the database, and use it in a query. Do I have to escape it again? So: ( sql::escape() contains my escape function) $userinput = "'); DROP `table` --"; mysql_query("INSERT INTO `table` (`foo`,`bar`) VALUES ('foobar','".sql::escape($userinput)."')"); // insert php/mysql to fetch `table`.`bar` into $output here mysql_query("INSERT INTO `table2` (`foo`,