in reply to Text formatting a command in CGI

Update Oops, didn't see the system call was multi-arg. I should probably get some sleep. ; )

system won't return the text that is spit out onto STDOUT by the program it calls. You should use backticks for that, but the problem with backticks is security holes. As for formatting, just use the pre HTML tag to keep the formatting...

BUT, you shouldn't be doing any of that, because the person running it could put anything in $ip. You haven't provided other code, so I don't know if you do filtering and escaping, but even then I wouldn't do something like that. It is almost a guaranteed security hole. What if I set $ip to "; rm -rf /"? It would run 

nmap; rm -rf /

[download]
as whatever user the CGI is running as.

Replies are listed 'Best First'.
Re: Re: Text formatting a command in CGI
by digitalx (Novice) on May 24, 2003 at 02:38 UTC
    Thanks for the help. I am very new though and do not know what the pre HTML tag is. If someone could explain to an idiot like I would appreciate. Thanks.
    Digitalx
[reply]
      I am very new though and do not know what the pre HTML tag is.
      Then you'll be wanting to check out http://www.htmlhelp.com, which has the advantage of being written by people who really understand the standards. Lots of links from there to other decent sites too, not cargo-cult sites.

      -- Randal L. Schwartz, Perl hacker
      Be sure to read my standard disclaimer if this is a reply.

[reply]
      Nevermind. I figured it out. text/plain instead of text/html. Thank again for all your help.
[reply]
Re: Re: Text formatting a command in CGI
by digitalx (Novice) on May 27, 2003 at 04:38 UTC
    Thanks guys. I really do get the help when I need it here.
[reply]

In Section Seekers of Perl Wisdom