Re: system versus qx security

Actually what the system function is doing is not 'quoting' the parameters but directly supplying them to the OS exec call.

Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, (...)

While qx supplies the command to the shell for parsing for arguments. And this happens in the 'only one scalar argument' case above too (which I cut out for brevity).

You might try to look at IPC::Open2 or IPC::Open3 functions. They can be called in simmilar fashions as system.

Comment on Re: system versus qx security

Replies are listed 'Best First'.
Re: Re: system versus qx security by Jenda (Abbot) on Oct 03, 2003 at 14:58 UTC
If such a call exists. Under some OSes it does quote parameters (and then crosses fingers). It's true though that the shell is not involved in `system($cmd,@params)`. Jenda Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live. -- Rick Osborne Edit by castaway: Closed small tag in signature	[reply] [d/l]