> On Tue, 27 Sep 2005, Bryan R Harris wrote:
>
>> I'd like to evaluate user input only where it makes sense, e.g.
>>
>> "2*(3+2)" ==> 10
>> "2*dog" ==> "2*dog"
>> "mysquarefunction(2)" ==> 4
>> "3*mysquarefunction(2)" ==> 12
>> "some guy" ==> "some guy"
>
> What happens when they put something in like
>
> "system('rm -rf /')"
>
> ?
>
> Blindly running input from users is a bad, bad, bad, bad idea.
>
> Figure out what kind of input you need from them, specify it as narrowly
> as you can manage, and then validate that it does match that spec.
I *really really* trust my users, since the primary user will be me. This
is for a filter to be executed at the command line, not for a CGI script.
If the user wants to type this, they could do it without going through the
script...
- B
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
