Safe indirect variable assignment in bash with printf -v
Writing a bash CLI flag parser that maps many flags to many variables in a small generic helper.
To assign a value to a variable whose name is itself stored in another variable — e.g. in a flag-parsing helper that takes (VAR_NAME, VALUE) — use printf -v "$varname" '%s' "$value". The common alternatives eval "$varname=$value" and declare "$varname=$value" evaluate the value as shell, which opens injection holes the moment the value contains spaces, quotes, backticks, or $. printf -v writes the literal bytes with no interpretation. Same syntax also works for printf formatting like printf -v out '%d' "$n" if you want to build a string into a variable instead of stdout.
When writing a bash arg parser that needs to assign to a variable named at runtime, reach for printf -v first; only fall back to declare or eval if you have a reason.