Execute a string which has math operation

irah has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.

Re: Execute a string which has math operation
by Athanasius (Archbishop) on Jan 05, 2014 at 04:40 UTC

#! perl
use strict;
use warnings;

my ($a, $b, $c) = (4, 2, '-');
my  $op = "$a $c $b";
print "$op = ", eval $op, "\n";
[download]

Output:

14:39 >perl 823_SoPW.pl
4 - 2 = 2

14:39 >
[download]

Hope that helps,

Athanasius <°(((>< contra mundum Iustus alius egestas vitae, eros Piratica,

[reply]
[d/l]
[select]

Re^2: Execute a string which has math operation

by bulk88 (Priest) on Jan 05, 2014 at 07:23 UTC

That should be sanitized somehow. IDK exactly how but that looks like perl injection/rooting.

[reply]

Re^3: Execute a string which has math operation

by Preceptor (Deacon) on Jan 05, 2014 at 10:22 UTC

It is - using eval to execute user supplied 'stuff' is dangerous. However it's _most_ dangerous when the program runs as a privileged user (e.g. web server, database instance). If I write a script, and then 'break' it, then I don't elevate my privileges, so at best it's a cute trick, on a part with using perl to 'process' STDIN.

A case in point

If however, you do have potential privilege escalation, then it's very important to sanitise your inputs. Normally, you'd do this by 'whitelisting' certain characters (e.g. numbers + arithmetic operators) and removing anything that isn't. URI::Escape may be useful for that - if you do it right, a regular expression will do the trick, but I can't elaborate off the top of my head.

[reply]

Re^2: Execute a string which has math operation

by irah (Pilgrim) on Jan 05, 2014 at 04:44 UTC

Thanks Athanasius

I was tried to execute directly without string into the variable. Thank you so much.

[reply]

Re: Execute a string which has math operation
by Anonymous Monk on Jan 05, 2014 at 07:29 UTC

calculator

math poly

[reply]