Re^5: CGI-Upload / Bad File Number

Concerning upload:
works now - poj found the point: also the eval...

Concerning security:
Not so relevant in this case. It's a private site with previous login. But anyway i want to know mor about this:

In between i've inserted $val =~ s/'/\\'/gms; before the eval-satement - not for security but to protect the '-character - maybe this is relevant...
I'm not sure how this might be used to run code. Can you give me an example??

I looked at 'CGI->VarsAsHash' but i dont really understand it. Especially the '\%hash' in the return-statement: what does the backslash do??
Also: is there returned a hash or single strings??

Thanks, Frank

Comment on Re^5: CGI-Upload / Bad File Number Download Code

Replies are listed 'Best First'.
Re^6: CGI-Upload / Bad File Number by Anonymous Monk on Jul 17, 2016 at 08:26 UTC
Answer me this, who wrote that code? Where did you copy/paste from?	[reply]
Re^7: CGI-Upload / Bad File Number by frnk (Novice) on Jul 17, 2016 at 12:29 UTC
This eval-thing??? It's my own work... I'm a quiet good hobby-programmer with 30 years experience in C/C++. Perl i used first time around 3 years ago. So i'm still learning, but a lot of things (as ie. eval) i know from other languages. So things are quiet easy for me if they are not too specific.	[reply]
Re^8: CGI-Upload / Bad File Number by Anonymous Monk on Jul 17, 2016 at 21:11 UTC
Hi, Regarding VarsAsHash , the \ operator returns references (see perlop), so \%hash is a reference to a %hash, `my $ref = \%hash; $ref->{key} = 'value';` see perlreftut#Making References , references quick reference, modern_perl_2016_a4.pdf page 56 regarding eval, classic post on the topic of letting user input create variables in your program, http://perl.plover.com/varvarname.html, varvarname2.html, varvarname3.html example of letting user-input rewrite your program `#!/usr/bin/perl -- #~ use strict; #~ use warnings; use CGI; my $query = CGI->new( { qw{ a a b b query BANANA s s z z } } ); my @names = $query->param; for( @names ){ $val = $query->param($_); eval "\$$_ = '$val';"; } __END__ Can't locate object method "param" via package "BANANA" (perhaps you f +orgot to load "BANANA"?) at - line 8.` [download] There is no more CGI object, only BANANA, and that is best case scenario, program stopping, `$val =~ s/'/\\'/gms;` isn't enough to protect against that, instead of a failing BANANA message it could have easily deleteAllMyFiles() or makeMeSuperuser or randomExploit() Yes, you could avoid random-code in $_ by removing all except a-z characters And escape all "dangerous" characters in $val with quotemeta But then random-input is still able to replace $query or any other variable in the program break it in unexpected ways Get yourself a copy of chromatics free e?book Modern Perl a loose description of how experienced and effective Perl 5 programmers work....You can learn this too. See also Learn Perl in about 2 hours 30 minutes and maybe PLEAC - Programming Language Examples Alike Cookbook And also Lexical scoping like a fox, Read this if you want to cut your development time in half! and understand that `strict` itself confers no benefits; The benefits come from avoidance of the bad practices forbidden by `strict` :) hehe, failing BANANA :D	[reply] [d/l] [select]
Re^9: CGI-Upload / Bad File Number by frnk (Novice) on Jul 18, 2016 at 10:50 UTC
Re^10: CGI-Upload / Bad File Number by Anonymous Monk on Jul 19, 2016 at 00:17 UTC