Safe way to do regexp tests indirectly

AndyH has asked for the wisdom of the Perl Monks concerning the following question:

What's the best (i.e. safest) way to construct regexp tests in perl code indirectly, i.e. with the test to be conducted looked up from somewhere else, e.g. database entry or from a hash with hashes and lists?

For example, I might want to have a list with the names of variables and I want to check if they all exist, so I would want to turn

my %tests = (
  ...
  list => ['foo','bar']
  ...
);
[download]

into

if (($foo) && ($bar)) {

Or, I might want a full regexp to be looked up and then placed into a test.

Grateful for tips, tricks and traps on this. Thanks.

Comment on Safe way to do regexp tests indirectly Select or Download Code

Replies are listed 'Best First'.
Re: Safe way to do regexp tests indirectly by tachyon (Chancellor) on Sep 25, 2003 at 07:30 UTC
Depends on where you data comes from. Provided you completely trust it you can do: `@list = qw( this that other \w+\s\w+ ); $re = join '\|', @list; $re = qr/$re/; print "Match\n" if 'foo bar' =~ m/$re/;` [download] This is fine BUT if you have say '(foo' in your list it will crash as the unmatched ( is invalid. You can cure this with a quotemeta `$re = join '\|', map{quotemeta} @list;` [download] The problem with this is that ALL regex metachars will get escaped so our '\w+\s\w+' in the previous example will get escaped to '\\w\+\\s\\w\+' which will loses its wildcard bahaviour and matches that literal string. You could use eval to see if the RE compiles BUT that is potentially dangerous. Don't use string eval..... my $re; my $str = '(foo'; eval {$re = qr/$str/}; if ( $@ ) { print "Oops $@\n"; } print "Still running.....$re\n"; $str = '/;print"You hacked me!";/'; eval {$re = qr/$str/}; if ( $@ ) { print "Oops $@\n"; } print "Still running.....$re\n"; $str = '/;print"You hacked me!\n";/'; eval "\$re = qr/$str/"; if ( $@ ) { print "Oops $@\n"; } print "Still running.....$re\n"; __DATA__ Oops Unmatched ( before HERE mark in regex m/( << HERE foo/ at C:\PROG +RA~1\PERLBU~1\debug\test.pl line 5. Still running..... Still running.....(?-xism:/;print"You hacked me!";/) *****You hacked me! Still running.....(?-xism:) [download] cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Safe way to do regexp tests indirectly
by tachyon (Chancellor) on Sep 25, 2003 at 07:30 UTC

Depends on where you data comes from. Provided you completely trust it you can do:

@list = qw( this that other \w+\s\w+ );
$re = join '|', @list;
$re = qr/$re/;
print "Match\n" if 'foo bar' =~ m/$re/;
[download]

This is fine BUT if you have say '(foo' in your list it will crash as the unmatched ( is invalid. You can cure this with a quotemeta

$re = join '|', map{quotemeta} @list;
[download]

The problem with this is that ALL regex metachars will get escaped so our '\w+\s\w+' in the previous example will get escaped to '\\w\+\\s\\w\+' which will loses its wildcard bahaviour and matches that literal string.

You could use eval to see if the RE compiles BUT that is potentially dangerous. Don't use string eval.....

my $re;
my $str = '(foo';
eval {$re = qr/$str/};
if ( $@ ) {
    print "Oops $@\n";
}
print "Still running.....$re\n";

$str = '/;print"You hacked me!";/';
eval {$re = qr/$str/};
if ( $@ ) {
    print "Oops $@\n";
}
print "Still running.....$re\n";

$str = '/;print"You hacked me!\n";/';
eval "\$re = qr/$str/";
if ( $@ ) {
    print "Oops $@\n";
}
print "Still running.....$re\n";
__DATA__
Oops Unmatched ( before HERE mark in regex m/( << HERE foo/ at C:\PROG
+RA~1\PERLBU~1\debug\test.pl line 5.

Still running.....
Still running.....(?-xism:/;print"You hacked me!";/)
*****You hacked me!
Still running.....(?-xism:)
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
[d/l]
[select]