in reply to How to do regex backreferences within $variable replacement text?

Use the evaluate switch:

use warnings;
use strict;

my $user_defined_string = "abcabcabc";
my $user_defined_search = '(a)';

[download]
my $user_defined_replace = '---$1---';

[download]
my $user_defined_replace = '"---".$1."---"';

print "before: $user_defined_string\n";
$user_defined_string =~ s/$user_defined_search/$user_defined_replace/e
+e;
print "after: $user_defined_string\n";

[download]

prints:

before: abcabcabc
after: ---a---bcabcabc

[download]
Update: Fix the $user_defined_replace string

BTW: you are aware that your user can execute pretty much any code using this technique?. You may want to do some aggressive filtering on the expressions that are allowed, and that may be pretty tricky to do!

Perl is Huffman encoded by design.

Replies are listed 'Best First'.
Re^2: How to do regex backreferences within $variable replacement text?
by ManFromNeptune (Scribe) on Sep 17, 2005 at 19:43 UTC
    Hmm... that didn't work either... it prints:

    before: abcabcabc
    after: "---".$1."---"bcabcabc


    And re: security issues around executing any code, this is another reason I was hoping to avoid eval() or any of its close relatives!

    As another possible idea, is there a way to precompile the replacement text of a regular expression, sort of like what qr// does for you with the search portion?
[reply]
      GrandFather missed another e. GrandFather fixed it

      $user_defined_string =~ s/$user_defined_search/$user_defined_replace/e
+eg;

__END__
before: abcabcabc
after: ---a---bc---a---bc---a---bc

      [download]

      Now back to your security issue, here is a simple thing to do as a replacement and you will get the username. In otherwords it is really dangerous as pointed out by Zaxo and GrandFather

      my $user_defined_replace = '`whoami`';

before: abcabcabc
after: xxx
bcxxx
bcxxx
bc

      [download]

      Note: in the above xxx stands for the username

      Update: I might be wrong but I cannot see a nice way to handle user definied substitutions... If you give them control to becomoe part of your script (i.e. they give some code to be executed inside your script) then they can do whatever they want... A better would be to look through the string they send you and check for potentially harmful substitutions like backticks and other operators and then not execute if present.

[reply]
[d/l]
[select]
        A better would be to look through the string they send you and check for potentially harmful substitutions

        Better than that is to filter everything except known-good characters, like we do when untainting data. In fact, the OP program should run under taint mode.

        --
        David Serrano

[reply]

      Sorry, coffe effect still applies: it needs two eval switches (now updated).

      You can't do it without evaluation in some form. You could parse the replaced string for $n's and then replace those with their respective captured text. I'll post something in a while

      Perl is Huffman encoded by design.
[reply]
      DOH, just realized that you had "/ee" ... tried that and it did indeed work :) But this is still basically an eval(), right?
[reply]
        Yup. s/.../.../ee is the same as s/.../eval .../e
[reply]
[d/l]
[select]
Re^2: How to do regex backreferences within $variable replacement text?
by ManFromNeptune (Scribe) on Sep 17, 2005 at 19:19 UTC
    I tried that, unfortunately it didn't work. I got:

    before: abcabcabc
    after: ---$1---bc---$1---bc---$1---bc

    The "$1" is getting interpreted literally, not as a backreference.
[reply]

In Section Seekers of Perl Wisdom