"Mark F. Murphy" <markm@powerperl.com> writes: >In that case, you simply make sure your eval is eval'ing a string... and >check for the result. > >The eval code in question was doing it's own testing for "eq"... the only >variables in the eval string are from the form... and they are being >compared with "eq". > >For eval purposes, something like: > >eval "qq/$var1/ eq qq/$var2/"; > >Will do a string compare with $var1 and $var2 being expanded with no fear >of the strings being interpretted as code. Sorry, unless I misunderstand you, I have to disagree: $var1 could have been set to something like xy/,SOMETHINGEVIL,qq/za And when interpolated and evaled, anything could happen. A similar effect can be obtained when $var contains: @{[somethingevil]} Therefore, an eval is only safe if the string is checked with something like $var1 =~ /^[A-Za-z \t,.]+$/ first. Matthias ----- Matthias Neeracher <neeri@iis.ee.ethz.ch> http://www.iis.ee.ethz.ch/~neeri "I'm set free to find a new illusion" -- Velvet Underground ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch