Hi,
Regarding VarsAsHash , the \ operator returns references (see perlop), so \%hash is a reference to a %hash, my $ref = \%hash; $ref->{key} = 'value';
see perlreftut#Making References , references quick reference, modern_perl_2016_a4.pdf page 56
regarding eval,
classic post on the topic of letting user input create variables in your program, http://perl.plover.com/varvarname.html, varvarname2.html, varvarname3.html
example of letting user-input rewrite your program
#!/usr/bin/perl -- #~ use strict; #~ use warnings; use CGI; my $query = CGI->new( { qw{ a a b b query BANANA s s z z } } ); my @names = $query->param; for( @names ){ $val = $query->param($_); eval "\$$_ = '$val';"; } __END__ Can't locate object method "param" via package "BANANA" (perhaps you f +orgot to load "BANANA"?) at - line 8.
There is no more CGI object, only BANANA, and that is best case scenario, program stopping,
$val =~ s/'/\\'/gms; isn't enough to protect against that,
instead of a failing BANANA message it could have easily deleteAllMyFiles() or makeMeSuperuser or randomExploit()
Yes, you could avoid random-code in $_ by removing all except a-z characters
And escape all "dangerous" characters in $val with quotemeta
But then random-input is still able to replace $query or any other variable in the program break it in unexpected ways
Get yourself a copy of chromatics free e?book Modern Perl a loose description of how experienced and effective Perl 5 programmers work....You can learn this too.
See also Learn Perl in about 2 hours 30 minutes
and maybe PLEAC - Programming Language Examples Alike Cookbook
And also Lexical scoping like a fox, Read this if you want to cut your development time in half! and understand that strict itself confers no benefits; The benefits come from avoidance of the bad practices forbidden by strict :)
hehe, failing BANANA :D
In reply to Re^8: CGI-Upload / Bad File Number
by Anonymous Monk
in thread CGI-Upload / Bad File Number
by frnk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |