Re: And you trust your users why?

Wow, sounds like you got your knickers in a bunch over some unfounded assumptions.

I didn't say that database queries were always the full-blown enterprise/ecommerce type. There are simpler databases of one form or another in just about any application. At the lowest level, any perl instance of grep { } is a database query: it's scanning and selecting data elements from a dataset which match a criteria.

I didn't say that I would use Perl for my user-supplied criteria mechanism in most database-centric applications, especially criteria that are tainted by being input by any old end-user.

Think about what a SQL server really is, architecturally. A SQL statement IS a user-supplied criteria. The SQL database must (1) parse the criteria specification (using SQL syntax rules), then (2) compare the appropriate database structures for complying entries.

There are also different concepts of "user." A system administrator is a "user." A program script which does a use MyModule; is a "user" of that module. The user-supplied criteria may not be accessible to the Joe "dubya dubya dubya" Point-n-Drool web surfer, but it's still sitting in the ~/.shoppin-cart-a-rama.rc for the web administrator to, well, administer.

And that's why I said, rightfully I think, that there are security issues in using eval in this context. Not all security issues are show-stoppers, but they're each a chance to make a reasoned and complete review of various methods of data attack. If you can successfully block all reasonable and timely data attacks, then the security issue has been resolved.

--
[ e d @ h a l l e y . c c ]

Comment on Re: And you trust your users why? Select or Download Code

Replies are listed 'Best First'.
Re: Re: And you trust your users why? by dragonchild (Archbishop) on Mar 23, 2004 at 15:30 UTC
IMHO, you're comparing apples and oranges. There is a major difference between clients and users. Programs are not "users". They are "clients". They have a well-defined, well-formed, and limited usage of a supplier's capabilities. They are trusted. People, on the other hand, are "users". They are not well-defined, well-formed, nor are they limited in their capability to err. Programs that deal with "users" must take this into account. (The exception is administrator-type "users", which are trusted, so they can be considered "clients".) I don't think that suggesting eval here without knowing more about what the OP wants to do is valid. It turns out that the OP's need is better served through other means. eval, imho, is meant for two situations: Quick'n'dirty hacking on a problem in a one-off situation Situations where there simply is not any other method of solving the problem It doesn't appear that either situation applies here. ------ We are the carpenters and bricklayers of the Information Age. Then there are Damian modules.... sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon.* - flyingmoose	[reply]

Replies are listed 'Best First'.

Re: Re: And you trust your users why?
by dragonchild (Archbishop) on Mar 23, 2004 at 15:30 UTC

limited

People, on the other hand, are "users". They are not well-defined, well-formed, nor are they limited in their capability to err. Programs that deal with "users" must take this into account. (The exception is administrator-type "users", which are trusted, so they can be considered "clients".)

I don't think that suggesting eval here without knowing more about what the OP wants to do is valid. It turns out that the OP's need is better served through other means. eval, imho, is meant for two situations:

Quick'n'dirty hacking on a problem in a one-off situation
Situations where there simply is not any other method of solving the problem

It doesn't appear that either situation applies here.

------
We are the carpenters and bricklayers of the Information Age.

Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose

[reply]