[mw42]

SQL injection is not avoided by escaping arguments, but by never mixing the command and user supplied arguments in the first place. The equivalent to your example would be

  execlp("mv", "mv", src, dest, NULL);

which does not rely on the shell to try to untangle your arguments from a single string.

Edit: Fixed, thanks!

[pyre]

> SQL injection is not avoided by escaping arguments, but by never mixing the command and user supplied arguments in the first place.

People see:

  execute("select * from table where id = ?", id);

as for the most part like:

  execute(sprintf("select * from table where id = '%s'", escape(id)));

Where `escape()` is written by "smarter people" and makes sure that `id` isn't a string like this:

  0'; delete all from user;'

(e.g. turning it into `0''; delete all from user;''`). I realize that this isn't what actually happens, but the general idea is that you are sanitizing your inputs.

[harry8]

> Where `escape()` is written by "smarter people"

can we stop with this please? I'm sure it's not your intention and it's the way it's always phrased but it's casual contempt and we deserve to treat each other and be treated better.

"escape() is written by someone who spent the large amount of time analysing all the issues, testing, taking and incorporating feedback so the rest of us, who are both smart and competent, don't have to duplicate the work.

[nitrogen]

Similarly, no amount of escaping would protect you from Shellshock.

P.S. Doesn't execlp() require a NULL at the end of the parameter list?