IMO, there's a huge difference between eval STR and eval BLOCK. You're using eval STR, and could run into problems with a poor regexp (and I'm not saying you have one). I suggest using eval BLOCK instead.
my $op = $query->param('option') || 'Login'; if ($op =~ /^(\w+)$/) { # this is good for untainting. $op = $1; } else { $op = 'NotAllowed'; } # convert $op into a modulename. (my $modname = $op) =~ s.::./.g; # since you don't allow :'s this isn' +t needed, but it's useful in the general case. $modname .= '.pm'; eval { require $modname }; die "Couldn't find class $op : $@\n" if $@; $op->perform(...);
With your original eval STR code, a carefully crafted option parmaeter, with a broken regular expression (again, yours doesn't seem to be such a case), could insert extra perl commands to run. e.g., an option of "strict;system(qw{rm -rf /})" would be disasterous. You eliminated that with your regexp, but eval BLOCK also eliminates it. IMO, with something so dangerous, it doesn't hurt to double-protect oneself. Just in case you accidentally break your regexp later, for example.
(And, as an added bonus, eval BLOCK is faster.)
In reply to Re: better ways than eval to dynamic load a module
by Tanktalus
in thread better ways than eval to dynamic load a module
by jbrugger
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |