Re: A modest request of Merlyn

Consider this code, which is a trivial modification of the code you posted, and merlyn suggested was foolish. String eval is incredibly dangerous as unless you have perfect control over the input data a cracker can run arbitrary code.....

@keys=( 'warn "merlyn is right, this is insecure and your code *was* f
+oolish!\n"' );
$e = '%hash = (' . (shift @keys) . '=>';
$e .= '{' . $_ . '=>' for @keys;
$e .= '1';
$e .= '}' for @keys;
$e .= ');';
eval $e;
[download]

Sometimes you need eval, most times you don't. A wise man knows the difference. There are better faster more secure ways to do it. You apparently did not know this at the time. If you peruse some of the other, better answers in that thread you may learn something. If you are a fool you will insist that this sort of hack could never happen. If you know a little bit about merlyn you may be aware he is a person not unfamiliar with security issues.

cheers

tachyon

Comment on Re: A modest request of Merlyn Download Code

Replies are listed 'Best First'.
Re^2: A modest request of Merlyn by delirium (Chaplain) on Jul 13, 2004 at 12:57 UTC
Thanks for your comments about my code. I agree that eval was not needed, in fact one of the solutions prior to my own was simple and effective, and did not use eval. However, being the XP whore that I am, I needed to post my own solution and have it be somewhat different from the other attempts. None of that is the reason for this thread, though. My code: bad. I'm just asking for Merlyn to take his disclaimer down since it isn't accurate, and that he, like me and any other human, is prone to an occasional personal attack on someone.	[reply]
Re^3: A modest request of Merlyn by tachyon (Chancellor) on Jul 13, 2004 at 13:07 UTC
At the end of the day does it really matter? I think not. merlyn can be abrasive at times see Color coded diff for one of our long dead tiffs, but so what? People suggesting eval without also putting in a disclaimer is like telling a 2 year old to go and play in the traffic. On the XP whoring front I usually wait for someone to post a string eval and post code like the example above :-) cheers tachyon	[reply]