in reply to Running System Commands With ""

Again, TIMTOWTDI. I could tell you about using the qq// operator or simply 'single quotes' or \backslashes or the concatenation.operator, but the _best_ way is certainly the list-method of system():

unless(
   system('adduser' => $username,
    -g => 100,
    -s => '/bin/false',
    -d => "/home/$username",
    -p => $encrypted_pass,
    -e => $expiry_date,
    -c => $realname,
   )){

[download]

See `perldoc -f system`

UPDATE: I've just read Don't try this at home: that's the reason why passing a list to system() is the best way :)

--
http://fruiture.de

Replies are listed 'Best First'.
Re: Re: Running System Commans With ""
by John M. Dlugosz (Monsignor) on Sep 11, 2002 at 21:02 UTC
    What does that do on an OS where a new process gets a single string? If it just concatenates the list together, you're back where you started.
[reply]

      I don't even know any OS that does so. But still it's more secure, because still no shell is started and no shell-tricks can be used. But an OS without 'char *argv[]' probably also doesn't know a shell, .. ? :)

      --
      http://fruiture.de
[reply]
        Windows gets a command-line tail (a single string) in the new process, as did DOS before it and CPM.

        The run-time library chops it up to populate argc/argv before calling main.

        As for when Perl uses a shell vs. calls the process directly, there is lots of OS-specific case code in there. I looked through it for Windows to see what it really did, and probably posted an expose here in PM, but I can't remember the details. Every other OS has its own special stuff, too, so it's quite non-portable to make such assumptions.

[reply]

In Section Seekers of Perl Wisdom