Re^4: CGI-Upload / Bad File Number

This is security hole, anybody running your cgi can run any perl program they write eval("\$$_ = '$val';"); }

$cgi->param already gives you access to params by name, there is no need for eval

If you want something other than $cgi use a hash, see CGI->VarsAsHash

Comment on Re^4: CGI-Upload / Bad File Number Download Code

Replies are listed 'Best First'.
Re^5: CGI-Upload / Bad File Number by frnk (Novice) on Jul 17, 2016 at 05:59 UTC
Concerning upload: works now - poj found the point: also the eval... Concerning security: Not so relevant in this case. It's a private site with previous login. But anyway i want to know mor about this: In between i've inserted `$val =~ s/'/\\'/gms;` before the eval-satement - not for security but to protect the '-character - maybe this is relevant... I'm not sure how this might be used to run code. Can you give me an example?? I looked at 'CGI->VarsAsHash' but i dont really understand it. Especially the '\%hash' in the return-statement: what does the backslash do?? Also: is there returned a hash or single strings?? Thanks, Frank	[reply] [d/l]
Re^6: CGI-Upload / Bad File Number by Anonymous Monk on Jul 17, 2016 at 08:26 UTC
Answer me this, who wrote that code? Where did you copy/paste from?	[reply]
Re^7: CGI-Upload / Bad File Number by frnk (Novice) on Jul 17, 2016 at 12:29 UTC
This eval-thing??? It's my own work... I'm a quiet good hobby-programmer with 30 years experience in C/C++. Perl i used first time around 3 years ago. So i'm still learning, but a lot of things (as ie. eval) i know from other languages. So things are quiet easy for me if they are not too specific.	[reply]
Re^8: CGI-Upload / Bad File Number by Anonymous Monk on Jul 17, 2016 at 21:11 UTC
Re^9: CGI-Upload / Bad File Number by frnk (Novice) on Jul 18, 2016 at 10:50 UTC
Some notes below your chosen depth have not been shown here