[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] How do you use Safe.pm?

To: mac-perl@iis.ee.ethz.ch
Subject: Re: [MacPerl] How do you use Safe.pm?
From: "Mark F. Murphy" <markm@powerperl.com>
Date: Fri, 24 Oct 1997 13:28:56 -0700
In-Reply-To: <199710241636.SAA04283@solar.ethz.ch>
References: Your message of Fri, 24 Oct 1997 08:59:37 -0700.

At 6:36 PM +0200 10/24/97, Matthias Ulrich Neeracher wrote:
>"Mark F. Murphy" <markm@powerperl.com> writes:
>>For eval purposes, something like:
>>
>>eval "qq/$var1/ eq qq/$var2/";
>>
>>Will do a string compare with $var1 and $var2 being expanded with no fear
>>of the strings being interpretted as code.
>
>Sorry, unless I misunderstand you, I have to disagree: $var1 could have been
>set to something like
>
>xy/,SOMETHINGEVIL,qq/za
>
>And when interpolated and evaled, anything could happen. A similar effect can
>be obtained when $var contains:
>
>@{[somethingevil]}

Oops... at second glance there's a better solution.

For the know vars that have a known op comparison like 'eq', there's not
much reason to eval them if trying to do a string comparison.

So:

$test = $var1 eq $var2;

Should work just fine.

What's needed is to build the eval string for the op... and still use the
variables.  Since eval uses the my vars from the enclosed block, using the
vars in the eval is the way to go.

Here's an example:

##########################
my $test;

print "\nPlease enter for test Var1 Op Var2\n\n";

print "Var1: "; my $var1 = &get_choice;
print "Var2: "; my $var2 = &get_choice;
print "Op:   "; my $op = &get_choice;

$test = eval ('$var1' . $op . '$var2') if ($op =~ /^[<>]|==$/);

print "\n$var1 $op $var2 is " . ($test ? "TRUE" : "FALSE") . "\n";

1;

sub get_choice { $_ = <STDIN>; chop; return $_; }

##########################

My point with this, of course, is that eval can be used safely if care is
given to know exactly what eval is doing.

Obviously, quick first looks can leave holes (as my first example).
However, before plunging into the overhead of Safe.pm... it's always worth
seeing if a simple approach will work as well.

In the above example, eval uses $var1 and $var2 without interpolation.  $op
is added to the string... and of course we don't do the eval at all unless
$op is valid.

For this simple example, checking an opcode is fine.

If one is trying to do any further eval'ing of code from an outside source
(like a full perl script or expression), Safe.pm is a good way to go... I
use it.

mark

PowerPerl(tm),  mailto:info@powerperl.com   http://www.powerperl.com
       A product of Tyrell Software Corp.   http://www.tyrell.com

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

References:
- Re: [MacPerl] How do you use Safe.pm?
  - From: Matthias Ulrich Neeracher <neeri@iis.ee.ethz.ch>

Prev by Date: [MacPerl] MacPerl as ACGI?
Next by Date: [MacPerl] Re: Newlines
Prev by thread: Re: [MacPerl] How do you use Safe.pm?
Next by thread: Re: [MacPerl] How do you use Safe.pm?
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net