in reply to Perl as a command executor (with hash variable substitution)

There are a host of potential problems, security and otherwise, you may have to deal with for this, but let's ignore all those and attack the specific issue you've asked about.

You need Perl to perform variable interpolation on a previously existing string. You can accomplish this using a string eval, after formatting your input like a string to be interpolated. This means escaping potentially problematic characters first like backslashes and previously existing quotes. 

my %TEST_HASH = (TEST_KEY => 'TEST_VALUE');
my $cmd = '/bin/touch $TEST_HASH{"TEST_KEY"}';

$cmd =~ s/\\/\\\\/g;
$cmd =~ s/"/\\"/g;
$cmd = eval qq{"$cmd"} or die $@;

print $cmd

[download]

Please don't run your intended code on any machine you care about security on, because this is pretty much the definition of injection and privilege escalation.

#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.

Replies are listed 'Best First'.
Re^2: Perl as a command executor (with hash variable substitution)
by RecursionBane (Beadle) on Mar 21, 2013 at 19:29 UTC
    Thank you! I understand the security risks. These commands will be executed by the logged in user with his/her privileges. I will keep security in memory when attempting to deploy this in scale.
[reply]

      Please don't deploy this. It's so ... evil.

      Tell us what you want to achieve. I'm pretty sure there are solutions where you don't have to sell your soul.

      McA

[reply]
      I will keep security in memory when attempting to deploy this in scale.

      Security will, indeed, be but a memory, and a faint one at that.

[reply]
        Your response made me laugh during a meeting. Thank you for that. :-)
[reply]

In Section Seekers of Perl Wisdom