0
我試圖用shell腳本進行鬆散通知。JSON和Shell腳本錯誤
JSON參數由變量形成,它們由MySql查詢獲得。
#!/bin/sh
#MySQL RO Access
host='mysqlserver.com'
userdb='slackro'
password='password'
db='db'
#Slack information
hook='https://hook.slack'
user='slackusr'
channel='o_channel'
emoji='slackusr'
#Query
id=`mysql -D $db -u $userdb -p$password -e 'SELECT id FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d'`
tn=`mysql -D $db -u $userdb -p$password -e 'SELECT tn FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d'`
title=`mysql -D $db -u $userdb -p$password -e 'SELECT title FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d' | sed "s/'/ /g" | sed "s/°//g" | sed "s/ /_/g" `
customer=`mysql -D $db -u $userdb -p$password -e 'SELECT customer_id FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d'`
msj=`mysql -D $db -u $userdb -p$password -e 'SELECT a_body FROM article WHERE ticket_id ='$id' ORDER BY id DESC LIMIT 1' -h $host | sed -e '1d'`
url='http://iiabox.infra.ultra.sur.top/otrs/index.pl?Action=AgentTicketZoom;TicketID'$1
#Message
curl -X POST -H 'Content-type: application/json' --data '{"username": "slackusr","icon_emoji": ":slackusr:","attachments": [{"fallback": "New Ticket","pretext": "New ticket from '$customer'","title": "'$title'","title_link": "'$url'","text": "'$msj'","color": "#006495"}]}' $hook
當我執行這個腳本我得到類似的東西
捲曲-X POST -H '內容類型:應用程序/ JSON' --data「{ 「用戶名」: 「OTRS」,」 icon_emoji「:」:slackusr:「,」附件「:[{」fallback「:」新票「,」藉口「:」從[email protected]發出的新票「,」標題「:」Prueba'deNotificación' 6「,」title_link「:」http://site/otrs/index.pl?Action=AgentTicketZoom;TicketID2016110472000067「,」text「:」Cerrado「,」color「:」#006495「}]}'https://hooks.slack.com/ curl:(6)Could not resolve host:de curl:(6 )無法解析主機:xn - notificacin-zeb curl :(3)[通配符]無與倫比靠近支架/列152
托架我不理解爲什麼變量$標題的結果表明,「Prueba‘去Notificación’6"
如果我打印$標題變量與我得到的回聲:「Prueba deNotificación6」沒有簡單的引號在第一個空格之前和最後一個空格之後。
我該怎麼辦?
此代碼存在嚴重的影響安全性的錯誤。如果有人給出票號爲'1'或'1'=='1',或票號爲'',你認爲會發生什麼? DROP TABLE ticket; --'? –
至於安全形成JSON,而不是字符串連接(它使你負責正確的引用),使用一個工具,如理解語法的'jq'。 –
...以及殼側的其他錯誤,請參閱http://shellcheck.net/ –