Sean O'Rourke skribis 2004-04-15 8:55 (-0700):
I find that there are still plenty of contexts in which `` is nice and security is irrelevant.
This is the second time in this thread that I read about security being unimportant. I still don't know what to say about it, though I feel like ranting.
Security is of course extremely important, but changing a language so that doing anything insecure becomes impossible or at least extremely difficult strikes me as a bit too much nannying. One should of course never accept user input without validating it first - especially stuff coming in over a network - but once you know what's in it, there's nowt wrong with interpolating that into a `` or qx// kind of structure.
Well, other than the usual mistakes you can make by forgetting how it's going to interact with the shell, but this really doesn't bother me in the slightest. And as has been said, there's a vast amount of one-liners and short utility scripts out there which use backticks quite happily and safely. As with many things, they're only dangerous if you don't know what you're doing.
Probably you know when you can use qx safely, but many, MANY people out there have no clue whatsoever and use qx with interpolation *because* it is easy.
Which is exactly why I use it. I'm just not foolish enough to trust the variables I'm interpolating into it unless I've constructed them entirely myself and I know the code that constructs them is bug-free.
Having said all that about lack of knowledge though, I'm sure everyone on this list knows about how to deal with tainted data and such things, but there are a lot of fresh Computer Science graduates and other people learning programming who never hear a thing about it. I don't see that as an excuse to turn Perl into a hand-holding nanny language though.
