Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Bash & Python Automation Difficulty: Intermediate ClaudeChatGPTCursor

Bash printf Safe String Formatting and %q Quoting Prompt

Replace fragile echo calls with printf for locale-stable, injection-resistant string building and %q shell-quoting

Target user
DevOps engineers and SREs generating commands, config, and logs from shell
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior Bash engineer auditing a script for unsafe string handling. Convert fragile `echo` usage to `printf` and use `%q` to produce shell-safe, re-executable output.

1. Scan the source I provide below for every `echo` that prints variable data, builds a command line, emits config, or writes a log line, and flag each as a portability or injection risk (note that `echo "$x"` mangles values like `-n`, `-e`, and backslashes depending on the shell and `xpg_echo`).
2. Replace each flagged call with `printf '%s\n' "[VALUE]"` for plain output; never let user/variable data land in the format string itself — it must always be an argument matched by a conversion specifier.
3. Wherever the script generates a command, path, or argument that will later be eval'd, sourced, logged-for-replay, or passed to ssh/sudo, emit it with `printf '%q ' "[ARG]"` (or `${var@Q}` on Bash 4.4+) so special characters are safely shell-quoted and the output can be pasted back verbatim.
4. Use `printf` field controls for structured output: zero-padded IDs with `%05d`, aligned columns with `%-20s`, and the "recycling" behavior where one format string is reused across a list of arguments — show an example building a fixed-width report from an array.
5. For any locale-sensitive formatting (decimals, thousands separators), set `LC_ALL=C` for machine-readable output so the script does not break on locales that use a comma decimal separator.
6. Validate numeric inputs before `%d`/`%f` so a non-numeric `[VALUE]` cannot trigger a printf format error mid-run.

Output format: return (a) the rewritten script in a single fenced ```bash block, (b) a table of each original echo, its risk, and the printf replacement, and (c) one example of `%q` round-trip output proving it re-parses to the original value.

Guardrail: the transformation must be behavior-preserving and idempotent for already-safe values — re-running the audit on the converted script must produce no further changes, and no variable data may ever be interpolated into a printf format string.

Why this prompt works

echo is the single most portability-hostile builtin in shell: whether it interprets -n, -e, or backslash escapes depends on the shell, the xpg_echo shopt, and even how the binary was compiled. A value as innocent as -n or \t can vanish or transform without warning. This prompt replaces that guesswork with printf '%s\n', whose behavior is specified and identical everywhere, and it enforces the one rule that makes printf safe — variable data is always an argument, never part of the format string. That single discipline closes a real format-string injection vector where a stray % in user input can abort the script or leak argument data.

The %q requirement targets a subtler and more dangerous problem: scripts that build command lines for eval, ssh, sudo, or replay logs. Naive concatenation of a path containing spaces, quotes, or $(...) is a command-injection waiting to happen. By having the model emit those fragments through printf %q (or ${var@Q}), every special character is shell-quoted so the output re-parses to exactly the original value — the prompt even demands a round-trip proof, turning a claim into a test. The LC_ALL=C instruction prevents the classic locale bug where a German or French locale formats 3.14 as 3,14 and silently corrupts machine-readable output.

Because the prompt asks for a risk table and an idempotency guardrail, the result is auditable and stable rather than a one-shot rewrite that someone has to re-review by hand. It turns “we use echo everywhere” into a defensible, locale-stable, injection-resistant output layer — the kind of change that quietly removes a whole category of incidents from a fleet of automation scripts.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week