---
title: Don't use variables as printf format strings
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Don't use variables as printf format strings
---

# Don't use variables as printf format strings

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/printf-format-variable`

**Language:** Bash

**Severity:** Error

**Category:** Security

**CWE**: [134](https://cwe.mitre.org/data/definitions/134.html)

## Description{% #description %}

Using a variable as the `printf` format string can allow format-string injection. If the value is user-controlled, format specifiers like `%s`, `%q`, or `%n` can change output behavior and leak or corrupt data unexpectedly.

Always pass a fixed format literal and keep untrusted data in arguments, for example: `printf '%s' "$var"`.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
printf "$var"
printf "${fmt}" "$value"
printf -v out "$fmt" "$value"
printf "prefix ${fmt}" "$value"
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
printf '%s' "$var"
printf "%s\n" "$user_input"
printf 'hello %s' "$name"
printf -- '%s' "$value"
printf -v out '%s' "$user_input"
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}