At 08:57 PM 7/10/97 +0200, Claes Bjorklund wrote: >>At 9.23 7/10/97, Claes Bjorklund wrote: >>>Is this this cgi script dangerous? >> >>>$math = $FORM{'calc'}; >>>$res=eval "$math"; >> >>Yes. Now, it is not as dangerous as it is on a UNIX box, but it is still >>dangerous. Any Perl statement can be executed by the web user. >> >>Imagine the calculation was something like this, but only more damaging: >> >> MacPerl::Answer('Erase System Folder?', 'OK') >> >[...] >Hi > >How I do a script which is safe,I understand must do some check of the >input, please help me, I am a beginner Claes, I'm a beginner too, but you'd be safe in having the Perl script do the work, not the OS. That is to say, set up a field for each value, and a popup menu for the list of available operators. Make the user use the equations you've allowed in the form rather than just freehand-typing in an equation. Then, once you've got all the values and operators from the form, you can simply let Perl calculate the equation. Another alternative would be to allow the user to type in the equation freehand and then you use regular expressions to split it apart into its component pieces and calculate it. Naturally, this could out of hand very quickly since there's a million possible cases to handle, but if you were to limit it to only a few possibilities (and explain those on the web page), you could do it without too much trouble. For example, tell the user he's limited to addition/subtraction/multiplication/division as operators. Then it wouldn't be too terrible to split the equation apart and have Perl calculate it. Wade --------------------------------------------------------------------------- Wade Williams "And the trees are all kept equal by Systems Engineer hatchet, axe, and saw." Cisco Systems, Inc. - N. Peart Brentwood, TN 615-221-2918 wwilliam@cisco.com --------------------------------------------------------------------------- ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch