in reply to
Running System Commands With ""
As ferrency suggested in the crisis he describes in "Don't try this at home", composing all the bits of a system command into one line is dangerous, because one of those variables might contain a malicious command.
Instead, consider using the system LIST syntax, e.g.:
# # add double-quote characters to either end of realname
# # $realname = '"' . $realname . '"';
# commented out above line after fruiture pointed out that
# system LIST format makes it unnecessary -- and even
# wrong, since realname would then be stored with '"'
# on either side!
# run system command, but pass args directly to the
# adduser program, rather than booting a shell
die "trouble adding user: returned non-zero\n";
- Solve your problem with quotes, since
you've added them $realname is passed as a single argument.
- Protect you from malicious examples like ferrency pointed out before.
See perldoc -f system.
update: fruiture pointed out that quotes were not needed in system LIST syntax.