Am Donnerstag, 19. Mai 2005 22.11 schrieb Matthew Sacks:
> Greetings,
> This is the sort of little question that drives me nuts.
> I am reading about tainting/taintedness etc. in the Camel book. Look at p.
> 561 for an example of a perl subroutine that tests data to see if it is
> tainted, returning true or false. It contains this line (writing from
> memory):
>
> eval { eval "# $nada"}};
>
> if $nada is tainted, that code raises an exception. The Camel books does
> explain why.
My view (no camel book at hand):
The inner eval detects the taintedness of $nada (at runtime because of the
eval STRING which is always evaluated at runtime).
The outer eval catches the runtime error raised by the inner eval in case of
tainted $nada, avoids an automatic die() and provides $@ to detect if the
inner eval die()d, meaning $nada was tainted.
sub tainted {
my $nada=shift;
eval { # this eval sets [EMAIL PROTECTED]
eval "# $nada"} # if this eval die()s
};
return $@ ? 1 : 0;
}
> OK. Now my question is, what is the significance of the "# " character?
> Is the "#" just one char in the string, or is it evaluated or interpolated
> somehow? If so, where in the Camel book is this explained.... Best Wishes,
The comment hinders $data from being executed, but not from being compiled at
runtime.
Imagine the above tainted() without the '#' in the evaled string, and $data
contains 'system ("rm -rf;")':
1. $nada would be executed
2. the quotes around the evaled string would not be necessary
I hope this explanation is half way correct - if not, hope for one of the list
gurus with their extraordinary didactical capabilities :-)
or
perldoc -f eval
joe
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
