--- Camilo Gonzalez <[EMAIL PROTECTED]> wrote:
> try
>
> system (/bin/somecommand $variable);
>
> or even
>
> `somecommand $variable`;
>
> -----Original Message-----
> From: Alen Sarkinovic [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 20, 2001 2:11 PM
> To: [EMAIL PROTECTED]
> Subject: need code
>
>
> Hi
> Can anybody send me code of perl that will take input from web and execute
> Unix command ,I mean SYSTEM(/bin/somecommand $variable)
>
> I have try everything but still not able to execute from web ,everything
> goes fine from command line :perl -T script.pl variable=blabla
Be very, very careful about this! It's extremely dangerous to run arbitrary commands
with
system(). If you already know the command you want to run, try using the multiple
argument form
of system (untested code):
#/usr/bin/perl -wT
use strict;
use CGI qw/:standard/;
my $program = '/bin/somecommand';
my $dirty_variable = param( 'variable' );
# untaint the variable
# you'll need to create your own regex if \w+ does not
# meet your needs
my ( $variable ) = ( $dirty_variable =~ /^(\w+)$/ );
if ( ! $variable ) { some_error_routine( $variable ) }
my $bad_status = system( $program, $variable );
if ( $bad_status ) { die "$program returned a bad error code: $?" }
Using the multiple argument form of 'system' forces the arguments to be passed to the
program and
not to the shell, where they could be interpreted in unexpected (and possibly
dangerous) ways.
Absolutely do NOT use backticks unless it is critical that you capture the output of
the command.
Backticks are extremely dangerous if you are allowing any user data near the shell.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
