Hi,
Regarding VarsAsHash , the \ operator returns references (see perlop), so \%hash is a reference to a %hash, my $ref = \%hash; $ref->{key} = 'value';
see perlreftut#Making References , references quick reference, modern_perl_2016_a4.pdf page 56
regarding eval,
classic post on the topic of letting user input create variables in your program, http://perl.plover.com/varvarname.html, varvarname2.html, varvarname3.html
example of letting user-input rewrite your program
#!/usr/bin/perl --
#~ use strict;
#~ use warnings;
use CGI;
my $query = CGI->new( { qw{ a a b b query BANANA s s z z } } );
my @names = $query->param;
for( @names ){
$val = $query->param($_);
eval "\$$_ = '$val';";
}
__END__
Can't locate object method "param" via package "BANANA" (perhaps you f
+orgot to load "BANANA"?) at - line 8.
There is no more CGI object, only BANANA, and that is best case scenario, program stopping,
$val =~ s/'/\\'/gms; isn't enough to protect against that,
instead of a failing BANANA message it could have easily deleteAllMyFiles() or makeMeSuperuser or randomExploit()
Yes, you could avoid random-code in $_ by removing all except a-z characters
And escape all "dangerous" characters in $val with quotemeta
But then random-input is still able to replace $query or any other variable in the program break it in unexpected ways
Get yourself a copy of chromatics free e?book Modern Perl a loose description of how experienced and effective Perl 5 programmers work....You can learn this too.
See also Learn Perl in about 2 hours 30 minutes
and maybe PLEAC - Programming Language Examples Alike Cookbook
And also Lexical scoping like a fox, Read this if you want to cut your development time in half! and understand that strict itself confers no benefits; The benefits come from avoidance of the bad practices forbidden by strict :)
hehe, failing BANANA :D
|