in reply to interpolate using backticks?

Argh, forgot my password.... Anyway, the problem with using backticks is that whatever is between the backticks is going to be pass to a shell, so if you interpolate a var with data read from the user, you can do whatever you want. Example: try your code with< 
 mail; touch jejejejeje <code>
as the input

A safer, but more convoluted, way to do this is using open 
with "-|":

<code>open (DA, "-|") || exec "du", "$dir";
@output = <DA>;

[download]
This will fork a process; in the parent, the exec isnt going be executed, as the return of the open will be the PID of the child, and the child will just exec du with the content of $dir as first arg, without passing anything through a shell. In the previous example, it would give you an error: du: mail;touch jejejej: No such file or directory Yes, its more complex, and you may think its unnecessary in your current application, but its better to know a safer way to do it and the risks of the "unsafe" way, to have it in mind if, say, you end up attaching this to a CGI or something. Good luck

Replies are listed 'Best First'.
RE: RE: interpolate using backticks?
by djw (Vicar) on Sep 21, 2000 at 15:52 UTC
    No that's great. I would much rather spend a few more lines typing now and get it right. Much appreciated.

    Thanks,
    djw
[reply]

In Section Seekers of Perl Wisdom