in reply to Re: Launching Internet Explorer
in thread Launching Internet Explorer

It's safer to avoid the shell. 

my $link = 'http://www.perlmonks.org/';
my $ie   = 'C:\\Program Files\\Internet Explorer\\iexplore.exe';
system($ie, $link);

[download]

Use start to use the user's prefered browser. 

my $link = 'http://www.perlmonks.org/';
system('start', $link);

[download]

Replies are listed 'Best First'.
Re^3: Launching Internet Explorer
by pKai (Priest) on Sep 27, 2006 at 12:36 UTC
    Defying the spirit of safety, using "start" will introduce the evil shell again: 
    D:\temp>perl
my $link = '"http://perlmonks.org/" & echo Oops!';
system('start', $link);
^Z
Oops!

    [download]
[reply]
[d/l]
      yuck! Thanks for the heads up! I didn't know.
[reply]
Re^3: Launching Internet Explorer
by liverpole (Monsignor) on Sep 26, 2006 at 16:54 UTC
    ikegami, granted that your method works.  But it's a wee bit vague just to say it's safer to avoid the shell.  Could you be so kind as to explain why it's safer?

    Thanks for the information about "start"; that seems quite useful.

    s''(q.S:$/9=(T1';s;(..)(..);$..=substr+crypt($1,$2),2,3;eg;print$..$/
[reply]
      In your case, I don't think it's safer. If $link was set by the user, he can set it to something like 'http://own3d.com ; format c:' (I just made that up). I'm not sure if that's a valid shell script in cmd.exe, but you get the picture. If you use the shell-safe construct, it would look to the shell like ie.exe 'http://own3d.com ; format c:', where $link is one paremeter. There's no chance for the use to do nasty things via the shell
[reply]
      When passing a command line to the shell, it must be properly quoted and escaped. When using the list form of system and exec, the shell is not invoked, so no quoting and escaping is needed.
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom