1

Please how to pass the 'inp" variable from this piece of vbs to my batch named job.bat? Indeed when doing echoing (echo %2) from job.bat, i notice that the inp is not passed properly. prompt command views inp and not the value retrieved from vbs. Thanks

For Each listElement In xmlDoc.selectNodes("document/Lists/list")
 msgbox "toto"
 inp=listElement.selectSingleNode("entry").text
 out=  listElement.selectSingleNode("output").text
 jeton=  listElement.selectSingleNode("token").text

 dim shell
 set shell=createobject("wscript.shell") 
 shell.run "job.bat ""a file"" **inp** "
 set shell=nothing 
 Next
Improve this question
0

2 Answers 2

Reset to default
3

I think what you're looking for is this.

shell.run "job.bat ""argfile.ext"" " & inp

However, as Ansgar Wiechers points out, this is a potentially severe security hole, as a treacherously crafted XML file could run arbitrary commands. To encapsulate your batch file arguments and prevent unintended consequences, consider switching to the Shell.Application object's ShellExecute method.

For Each listElement In xmlDoc.selectNodes("document/Lists/list")

    msgbox "toto"
    inp = listElement.selectSingleNode("entry").text
    out = listElement.selectSingleNode("output").text
    jeton = listElement.selectSingleNode("token").text

    set shell=CreateObject("Shell.Application") 
    shell.ShellExecute "job.bat", """a file"" " & inp, "path\to\batfile\", "runas", 1
    set shell=nothing 

Next
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Unlike several other languages VBScript doesn't expand variables inside strings. Because of that, inp in the string

"job.bat ""a file"" inp "

is just the literal string "inp", not the value of the variable inp. To produce a string with the value of a variable, you have to concatenate base string and variable like @rojo suggested:

shell.run "job.bat ""a file"" " & inp

I would, however, not recommend doing this without some safety precautions. For one thing you should always put double quotes around your arguments, in case they contain spaces. I normally use a quoting function for this to prevent the instruction from becoming riddled with quad-quotes:

Function qq(str) : qq = Chr(34) & str & Chr(34) : End Function

'...
shell.run "job.bat " & qq("a file") & " " & qq(inp)

You should also always apply sanitizing to all user input that is passed to a shell command. Otherwise your users might wreak havoc by entering something like foo & del /s /q C:\*.*. Common practice is to allow only known-good characters in the input string and replace everything else with a safe character (e.g. an underscore). You can achieve this with a regular expression:

Set re = New RegExp
re.Pattern = "[^ a-z0-9äöü.,_$%()-]"
re.Global  = True
re.IgnoreCase = True

inp = re.Replace(inp, "_")
Improve this answer

4 Comments

+1 thorough. I'm curious about something, though. You know with an ADODB.Command object you can do parameterized queries -- cmdObj.commandText = "INSERT INTO table (col1, col2) VALUES (?, ?)" and then cmdObj.parameters(0).value = "val1" and cmdObj.parameters(1).value = "val2" to prevent SQL injection attacks. Can that same convention of building a parameterized query be employed for other things, such as building a shell.run command?
Not that I know of. You'd need some sort of escaping function to "defuse" potentially harmful characters, but I'm not aware of any such function/method built into VBScript (or the usual COM objects).
Actually, I just ran a test, and it appears that the Shell.Application object's ShellExecute method successfully encapsulates arguments to prevent the sort of attack you're describing. Might be safer than wsh.shell's run method.
Too late! I got impatient, so I added it to my answer. :>

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.