Challenging: Ignore special characters in bash script

I have a very simple script that prints on screen what ever passed to it on the first argument, the string always come out wrong, and the problem is that this script is being called from another program and passes a variable to that script as the first argument, so there is no way for me to alter the string itself, but only how it is being called or passed.

e.g.

var string=test@$134!'
ssh user@server ./echo_string.sh #string# 

#string# is how I'm passing the variable to shell script, this get replaced with test@$134!', but it doesn't show on the logs and never gets printed.

When I call the script with ./echo_string.sh #string# the output the I'm looking for is this
test@$134!'

Kindly note that the previous is just an example and the string can have any special characters at any position

So is the other program simply calling popen("yourscript.sh test@$134!'") or a similar API call that uses a single string?

If this is the case then that application must work harder to escape test@$134!' - it needs to escape the $ the ' and the ! perhaps also the @ and certain other characters if they are present against the popen shell performing interpretation. I.e. call popen("yourscript.sh test\@\$134\!\'") . Depending on the language you may have to double-escape these characters to ensure the language string processor does not consume the backslash: popen("yourscript.sh test\\@\\$134\\!\\'") - you would need this if the caller was C or C++.

In many cases, simply using explicit double-quotes around the argument would be enough, as that causes many shell escapes to not be attempted - but because your string contains a dollar sign ($) some, or all of the phrase might be interpreted as a shell variable. Using single quotes round the phrase is an even more powerful anti-processor, but then the single quote you have in the string is an issue. Perhaps using a quotes wrapper reduces the number of symbols that you then need to escape (singlequote for singlequote vs $ and doublequote for doublequote)

If that caller program is using an array of arguments API like exec({"yourscript.sh", "test@$134!'"}) and the documentation says the call is direct with no shell, then there is no risk of the argument being interpreted before it gets to your script, but you may want to directly call the script interpreter from the caller program: exec({"/bin/bash", "yourscript.sh", "test@$134!'"}).

Then the problem probably is in your script. You need to ensure that whenever you use $1 you quote it as "$1" to ensure that it is not expanded. If you copy the $1 to a named variable then remember to quote that always.

You may need to do both these fixes.

If you are concerned that the argument might be interpreted as a command option, then you need to check the syntax of the commands you are using. Many commands support a special -- option which suppresses the option processor. But some do not. I'm not sure if there is a legal way to echo the string "-E" as a single command. Though echo does try to be generous and prints the whole word if it sees any characters that are not options, so echo -End works fine (in bash). Bash also supports a printf command, so you could use that: printf "%s\n" "-e" - any options have to be before the format string, so the injections cannot be misinterpreted.

try this pls:

var string='test@$134!'"'"

1. Im escaping "!" with single quote
2. Im adding a single quote at the end with "'"

In my shell, the variable print exactly as you want.