Re: eval without warnings



> On Tue, 27 Sep 2005, Bryan R Harris wrote:
>
>> I'd like to evaluate user input only where it makes sense, e.g.
>>
>> "2*(3+2)" ==> 10
>> "2*dog" ==> "2*dog"
>> "mysquarefunction(2)" ==> 4
>> "3*mysquarefunction(2)" ==> 12
>> "some guy" ==> "some guy"
>
> What happens when they put something in like
>
> "system('rm -rf /')"
>
> ?
>
> Blindly running input from users is a bad, bad, bad, bad idea.
>
> Figure out what kind of input you need from them, specify it as narrowly
> as you can manage, and then validate that it does match that spec.


I *really really* trust my users, since the primary user will be me. This
is for a filter to be executed at the command line, not for a CGI script.
If the user wants to type this, they could do it without going through the
script...

- B


.

Relevant Pages

  • Re: Use of uninitialized value... --> quit!
    ... >>Bryan R Harris wrote: ... They are actually warnings instead of errors. ... > ralph 2057% perldoc perllexwarn ...
    (perl.beginners)
  • RE: $p{"Bryan"}{"age"} = 31
    ... Bryan R Harris wrote: ... > Is there anything wrong with out of the blue making a statement like ... Prev by Date: ...
    (perl.beginners)
  • Re: get function name?
    ... Bryan R Harris wrote: ... I have properties that vary depending on what function I'm in, ... can special-order certain sorts of tools at low cost and ...
    (perl.beginners)
  • Re: two way piped open
    ... Bryan R Harris wrote: ... > I'd like to open 2-way pipe to a tool that we have here. ... > yprtool and once it's open, you give it 3 numbers to its STDIN and it spits ...
    (perl.beginners)
  • Re: On using $_ in subroutines
    ... Bryan R Harris wrote: ... There are also dynamic, meaning that the new version of the variable will be used in all called subroutines, even if the subroutines are in another file or package. ... If you really want to run one, you can but bugs can appear and disappear at any time. ...
    (perl.beginners)