From: "Dan Muey" <[EMAIL PROTECTED]>
> Sorry to bother but...
> I have a script that I have to do an eval on code that someone else
> has put in a database. ...
Are you sure you want to do that? Are you sure you want them to be
able to run any code they with inside your script? Deleting files
they should not have access to, mailing themselves information they
should not see, breaking something ... ?
You should be really really really carefull with this!
And if you really must allow them to enter CODE into the database
then at least
use Safe;
with the strickest settings that allow you to do what you must.
> $code = "$row[1] $row[2] $row[3]"; # @row is from a database query
This looks that all you need is to fill in a TEMPLATE, that they do
not need to execute (read DO) something, but instead construct some
text perusing some variables.
If yould be much better to store something like this:
This is a notification that the %JobTitle% job posting
on %SiteName% will expire in %ExpireInDays% days."
in the database. Then fill some hash with the data (from the database
and elsewhere) and do:
$template =~ s/%(\w+)%/$data{$1}/g;
See some more comments below.
> so I try to do this :
>
> if($code =~ m/\$password/) { print "NO way pal \n"; } # ie if $code
> contains the string '$password' then don't do it! else {
>
> eval $code;
> .....
>
> It seems that since $code = "$row.. uses double quotes it seems that
> it is puting the value of $password there instead of the actual string
> '$password'
Why don't you print the $code somewhere so that you may look at it
and see what exactly is there? Stop guessing. Test!
Anyway, if the value of $row[$i] is 'print $password;' then the $code
WILL contain 'print $password;'. The variable interpolation is NOT
recursive. But maybe the $row[$i] contains something unexpected.
Print out @row as well!
Jenda
===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
-- Terry Pratchett in Sourcery
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
