in reply to ticked off with backticks

This is running inside a cgi

Excuse the slightly off-topic post, but I hope your $cmd variable isn't coming from user input. Or, if it is, I hope you're scrubbing it well. If not, you have opened yourself up to a major security hole. Fortunately, it's pretty easy to solve. Here's an adapted version of aquarium's solution:

    open(GNUPLOT, "-|", gnuplot => $cmd) or die;
    @output = <GNUPLOT>;
    close GNUPLOT or die "error reading GNUPLOT";

[download]

Since this uses the list form of open, the shell is never called. This eliminates the possibility of shell metacharacters being interpreted by your backtick command.

Replies are listed 'Best First'.
Re^2: ticked off with backticks
by bret.foreman (Acolyte) on Aug 19, 2004 at 16:37 UTC
    No no. The $cmd stuff is all internally generated in the CGI. The user just selects stuff from scrolling lists.

    Bret

[reply]

      Generating $cmd inside the CGI is good, and your code may indeed be safe (hard to judge without seeing the actual code), but using dropdown lists does not help. Users can make their web clients submit anything they want, really.

[reply]
[d/l]

In Section Seekers of Perl Wisdom