Be very careful executing commands if you're going to accept input from untrusted sources. If you feed system(), exec(), or backticks a scalar (non-array) argument, it goes to the system shell for interpretation. For instance, let's say you're trying to allow users to specify a file to run "ls -l" on: 
# Instead of passing a file name, a malicious user sends
# another command
$user_input = "; rm -rf /";

# system() happily executes "ls -l" followed by "rm -rf /"
system("ls -l $user_input");

[download]
To avoid this, you should always pass array arguments to system() and exec(): 
$user_input = "; rm -rf /";

# In this case the user just gets a "no such file or
# directory" error
system("ls", "-l", $user_input);

[download]
Backticks are a bit trickier because there's no syntax to pass in an array argument. To safely capture the output of a command, use open() to fork off a child and exec() to execute the command: 
# Bad
@output = `ls -l $user_input`;

# Good
if ($kidpid = open(PIPE, "-|"))
{
        # Parent process.  Read data from the child.
        @output = <PIPE>;
} else {
        # Child process.  Execute the command.
        die "could not fork" if !defined($kidpid);
        exec ("ls", "-l", $user_input) or die "exec failed: $!";
}

[download]

-Matt

In reply to Safer system(), exec(), and `` (was RE: calling Unix commands) by DrManhattan
in thread calling Unix commands by Max_Glink

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.