The first spawns a shell and can handle things like globs. This is less efficient, more powerful, and more dangerous (susceptible to code injection attacks)
The second does not spawn a shell and therefore cannot handle globs. It is also less susceptible to code injection attacks. system "ls *.pl"; is equivalent to typing ls *.pl on the commandline. system "ls", "*.pl"; is equivalent to typing ls '*.pl' on the commandline (it the glob does not expand). Code injection attacks can occur when you use untrusted data in a something that runs code (like string eval) or executes programs (like system): my $user = untrusted_source(); system "ls /home/$user > /tmp/userfiles"; If the untrusted source returns "; cat /etc/passwd" then you will copy the passwd file to /tmp/userfiles instead of the intended output. It is always good to sanitize user inputs (ensure that the values are within the expected values) that are untrusted for this reason. If you are handling untrusted data often, it is a good idea to turn on taint mode in Perl. It will throw a runtime error if you try to use untrusted data without sanitizing it with a regex or other sanitizing function. See https://perldoc.perl.org/perlsec.html#Taint-mode for more information. On Tue, Jul 24, 2018 at 8:37 AM Lauren C. <lau...@miscnote.net> wrote: > Hi, > > $ perl -le 'system "df -h"' > > $ perl -le 'system "df","-h"' > > The both two styles work fine. > what's the difference between them and which is better usage? > > thanks. > > -- > To unsubscribe, e-mail: beginners-unsubscr...@perl.org > For additional commands, e-mail: beginners-h...@perl.org > http://learn.perl.org/ > > >
