$user_defined_string =~ s/$user_defined_search/$user_defined_replace/e
+eg;

__END__
before: abcabcabc
after: ---a---bc---a---bc---a---bc
[download]

Now back to your security issue, here is a simple thing to do as a replacement and you will get the username. In otherwords it is really dangerous as pointed out by Zaxo and GrandFather

my $user_defined_replace = '`whoami`';

before: abcabcabc
after: xxx
bcxxx
bcxxx
bc
[download]

Note: in the above xxx stands for the username

Update: I might be wrong but I cannot see a nice way to handle user definied substitutions... If you give them control to becomoe part of your script (i.e. they give some code to be executed inside your script) then they can do whatever they want... A better would be to look through the string they send you and check for potentially harmful substitutions like backticks and other operators and then not execute if present.

A better would be to look through the string they send you and check for potentially harmful substitutions

Better than that is to filter everything except known-good characters, like we do when untainting data. In fact, the OP program should run under taint mode.

--
David Serrano

Sorry, coffe effect still applies: it needs two eval switches (now updated).

You can't do it without evaluation in some form. You could parse the replaced string for $n's and then replace those with their respective captured text. I'll post something in a while

Yup. s/.../.../ee is the same as s/.../eval .../e

Ok, thanks... but really I'm trying to avoid using eval() (or /e) in the first place.

<RANT> Seeing as Perl lets you specify regex patterns in variables used for search text (s/$pattern/), it really seems like there ought to be a non-kludgy way to interpret backreferences from a variable in the replacement text (s/$pattern/$replacecontainsbackrefs/) ... </RANT>