At 9:03 AM -0400 10/24/97, Chris Nandor wrote: >Well, except that someone could copy his use LWP (or simply copy his HTML >source) and change the values of the parameters and send that to the CGI >script. Purty dangerous. In that case, you simply make sure your eval is eval'ing a string... and check for the result. The eval code in question was doing it's own testing for "eq"... the only variables in the eval string are from the form... and they are being compared with "eq". For eval purposes, something like: eval "qq/$var1/ eq qq/$var2/"; Will do a string compare with $var1 and $var2 being expanded with no fear of the strings being interpretted as code. The only danger, as I meantioned before is: eval ""qq/$var1/ $op qq/$var2/"; Because op could be *anything* at this point. Since the original poster knows they want it to be '<', '>', or '='... then a simple test before hand is in order to make sure someone can't change that variable op. Overall from what I saw from the original poster.... there's nothing much to be concerned about. As I stated.... I think Safe.pm might be a bit of overkill. However.... if anyone here wants to use Safe... here's some quick example code: use Safe; my $safeCode = new Safe 'SafeCode'; # $safeCode->trap(opcodename) # $safeCode->untrap (opcodename) my $code = "print qq/Hello World/;"; $safeCode->reval($code); print "Error in SafeCode: $@" if $@; 1; The subs trap and untrap set up which opcode names are allowed or not. You can find the opcode names in opcode.h if I remember correctly. The Safe module calls an XSUB that switches out the main:: tablespace with it's own when eval'ing via the reval method. Remember... since main:: is temporarily switched out, you will not have access to any variables outside of the reval call unless you 'share' them. Check out the Safe.pm source to see the calls for sharing vars or Programming Perl 2nd Ed pg 491. However, Safe.pm has changed since those docs... and many of the calls do not work any longer. The opcode manipulatiojn functions mostly do not work because a new module Opcode.pm was created which handles manipulation of opcode masks. Checking out the Safe.pm and Opcode.pm source helps out a lot to understand what is really going on. Personally, I've written my own share method for my product... and after the new Safe.pm module broke my code once, I've been cautious about relying on some of the calls. I don't like moving APIs for production code. If anyone else has any further questions about Safe.pm, I'd be happy to answer. I haven't had a chance yet to fully test out Safe.pm under MacPerl. As I get into testing my product for MacPerl, I'll have a good feel for how well it functions on the Mac (though I expect now surprises). mark PowerPerl(tm), mailto:info@powerperl.com http://www.powerperl.com A product of Tyrell Software Corp. http://www.tyrell.com ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch