Randal L. Schwartz wrote:
>
> >>>>> "Dan" == Dan Muey <[EMAIL PROTECTED]> writes:
>
> Dan> for(`ls /files/`) {
> Dan> if(`cat $_ |grep $string`) { push(@matchedfiles,$_); }
> Dan> }
>
> Hmm. Where to begin?
>
> - Dangerous use of ls.
> - Useless use of cat.
> - Dangerous use of backticks.
> - Shelling out when every one of those steps is done as well
> or better by Perl.
> - Insecure use of child shells
Hi Randal.
I'll buy most of those, but wonder at your choice of 'dangerous'
and 'insecure'?
The return from the 'ls' bactick is certainly unpredictable and
dependent on context. Is that what you mean? And surely backticks
can't be inherently dangerous in any sense, only the command line
that they embrace?
It would be useful if you could explain what security breaches
are potentiated by 'child shells' (and isn't this just another
phrase for 'backticks'?)
'Shelling out' ('backticks' again) is a symptom of the
misconception of Perl as a scripting language, and I think the
criticism is better made in those terms. It is comparable to
the weak code arising from misconceiving Perl as being C.
It helps to stand a few more up when you knock some down :)
Rob
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
