On Sunday April 13 2008 6:12 am, dylanthomasfan wrote: > Hi, > > I am a Perl CGI beginner. I am trying to construct perl statements to > do depending on user input, and interpret them at runtime using eval. > I execute these commands by writing > > eval $commandString; > > where $commandString is constructed as per user input. > > if $commandString="simpleSubroutine();" my eval works well, but if > $commandString="notSoSimpleSubroutine(\"$string1\", \"$string2\");" my > eval bombs with the following message: > > Insecure dependency in eval while running with -T switch at /var/www/ > CGI/process.cgi line 92. Line 92 points to the line > eval $commandString; > > Any pointers on what is going on? I have read about unsafe characters, > and tried the following: > > $safeCommand=uri_escape($commandString); > eval $commandString; > (that does not work). > > I have also tried substituting $string1 and $string2 with literals. > I.e., I tried > $commandString="notSoSimpleSubroutine(\"delta\", \"gamma\");" > and that works just fine. So I gathered that the eval could be bombing > because, perhaps variables ($string1 and $string2) above are not safe? > However, I need the flexibility of using $string1 and $string2. > > Any workaround? Any help is greatly appreciated. > > Thanks.
looks like your running in Taint mode , and your trying to use tainted data . bad idea ... Stay away from using system calls via CGI see : http://perldoc.perl.org/perlsec.html Greg -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/
