Re^2: Should I escape shell arguments in Perl?

While the system(@args)approach avoids the need to escape args from a functional perspective, from a security perspective they will need to be escaped.

Could you explain what do you mean in more detail?

Comment on Re^2: Should I escape shell arguments in Perl?

Replies are listed 'Best First'.
Re^3: Should I escape shell arguments in Perl? by Utilitarian (Vicar) on Apr 20, 2009 at 11:07 UTC
If you use system in the following fashion you don't need to worry about quotes, shell vars etc.. being interpreted by Perl. `@args=qw(command arg1 arg2); system(@args);` [download] Oh, and on testing not by the shell either `~$ perl -e '@args=qw(echo Hello;echo World);system(@args);' Hello;echo World` [download] So it prevents this form of abuse by default, I wasn't aware of that feature at all. Thanks	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^3: Should I escape shell arguments in Perl?
by Utilitarian (Vicar) on Apr 20, 2009 at 11:07 UTC

@args=qw(command arg1 arg2);
system(@args);
[download]

~$ perl -e '@args=qw(echo Hello;echo World);system(@args);'
Hello;echo World
[download]

[reply]
[d/l]
[select]