Good comments. On the sysopen() issue, I'd like to note that you can also just use something like:
The leading mode ("<" in this case but can be many other modes like ">>" or "+<"), the separating space (between the mode and the file name), and the trailing null ("\0"), when all present together, prevent interpretation of the file name. So pipes ("|") or greater thans (">") in the $filename string won't cause Perl to spawn a subprocess or write to a file that you wanted to read from. This works even in Perl4.open( FILE, "< $filename\0" )
Checking the documentation for this I find that modern versions of Perl also support:
I find no reference to the old method that I described above. I suspect that this is because it has been removed from the documentation not because it has been removed from Perl (because the latter would be sad, replacing a solution that ports to old versions of Perl with one that doesn't). I'll have to do some checking and report back.open( FILE, "<", $filename )
Using these can be more convenient than using sysopen() while still closing the same security holes.
- tye (but my friends call me "Tye")In reply to sysopen (RE: Request for Comments - CGI Course)
by tye
in thread Request for Comments - CGI Course
by Ovid
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |