in reply to Re: Re: Re: the search string and me
in thread the search string and me

I think you take the wrong approach to interaction on the internet: Your users should never be regarded as crazy, deranged or plain curious, but as malicious. And yes, I do think that overwriting a global value can have severe effects. But you use eval to set that string. So if I would craft a query parameter named [system q(rm -rf /)], that code would be executed by your eval statement.

You could do some dereferencing via a hash to fill the variable with the parameter to get around the eval statement, but let's face it - CGI.pm and its cousins already do that and in a tried and tested way.

perl -MHTTP::Daemon -MHTTP::Response -MLWP::Simple -e ' ;    # The  
$d = new HTTP::Daemon and fork and getprint $d->url and exit;#spider
($c = $d->accept())->get_request(); $c->send_response( new   #in the
HTTP::Response(200,$_,$_,qq(Just another Perl hacker\n))); ' #  web

[download]

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: the search string and me
by wolis (Scribe) on Sep 16, 2003 at 00:48 UTC
    Ah.. <penny drops> now I' m begining to understand.

    Being a windows user I am slowly understanding all of this stuff and the relationship with special variables and the underlying system.

    I only added the eval bit as I got tired of having to manually convert $username = $params{'username'}; each time I wanted to display the username variable (again my own code which replaces tagged fields with variables and I was unable to get it to handle hash or list values but it was happy with scalars).

    So 'taint' sounds interesting.. must do some reading about that :-) 

     ___
/\__\ "What is the world coming to?"
\/__/ www.wolispace.com

    [download]
[reply]
[d/l]
      I only added the eval bit as I got tired of having to manually convert $username = $params{'username'}; each time I wanted to display the username variable (again my own code which replaces tagged fields with variables and I was unable to get it to handle hash or list values but it was happy with scalars).
      Huh? That's odd. This is Perl, not PHP, and you can use hash items in a string just like any other scalar. Just use the correct type of quotes, or no quotes for a bareword (= just like the name of a plain variable), or escape them with a backslash. Like this: 
      $params{'name'} = "Slim Shady";
print "My name is $params{'name'}\n";
print "My name is $params{name}\n";
print "My name is $params{\"name\"}\n";

      [download]
      All three work equally well.
[reply]
[d/l]
        {nods in agreement} I do use my $params{'things'} in strings and concat to strings 'bit '.$params{'bot'} however:

        My templating function does this nattly little conversion of a field name into its value in a string: 

         $fld =~ s/\$(\w+)/${$1}/g; # convert variable into its value..

        [download]
        Which failed the first time I tried including a $params{'thing'} so I gave up and just used $scalars ever since :-)

        I should re-investigate.. sounds like a good idea! 

         ___
/\__\ "What is the world coming to?"
\/__/ www.wolispace.com

        [download]
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom