How to use python variable in os.system? [duplicate]

Question

I am creating small console script in python, and I will like to put cowsay command in it, but cow says name of the variable, where the string is, not the string inside the variable. How I can get the cow to say string inside the variable?

if (command == 'cow'):
    word = raw_input('What does the cow say?  ')
    os.system('cowsay word')

Answer 1

lazy solution is to simply concatenate the word:

>>> import os
>>> word="moo"
>>> os.system('cowsay ' + word)
 _____ 
< moo >
 ----- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
0

BUT you should not do this. What if the user inputs moo; rm -rf /? guess what will happen. Also, word="$(cat /etc/passwd)" and word="$aliases" or words with backticks will yield non-expected results.

You should use the Subprocess module, which takes care of escaping shell args and constructing the call:

>>> import subprocess
>>> subprocess.Popen(['cowsay', word])
<subprocess.Popen object at 0x7fe8c7656c18>
>>>  _____ 
< moo >
 ----- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Use .communicate() for simple invocations, as described in the docs or as in the example below. And now you don't have to worry about injections:

>>> word="$(cat /etc/passwd)"
>>> stdout, stderr = subprocess.Popen(
                     ['cowsay', word]).communicate()
 ____________________ 
< $(cat /etc/passwd) >
 -------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Answer 2

You could use format to construct the string

os.system('cowsay {}'.format(word))

Or simple string concatenation

os.system('cowsay ' + word)

But I prefer the former, especially if the string get more complicated.