On 2011-06-02 14:27, Bob McConnell wrote: > From: Stanislaw Findeisen > >> Suppose you have a collection of books, and want to provide your users >> with the ability to search the book title, author or content using >> regular expressions. >> >> But you don't want to let them execute any code. >> >> How would you validate/compile/evaluate the user provided regex so as > to >> provide maximum flexibility and prevent code execution? > > You want them to run an application without having to run an > application? That doesn't make any sense.
This is a complete misunderstanding. Sorry, perhaps I wasn't clear enough. I was talking about users injecting *their* code via the regex. See for instance: http://perldoc.perl.org/perlretut.html#A-bit-of-magic:-executing-Perl-code-in-a-regular-expression or /e modifier for the built-in function s (search and replace). When doing: $string =~ $regex where $regex is user provided, arbitrary regular expression, anything can happen. -- Eisenbits - proven software solutions: http://www.eisenbits.com/ OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0 -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
