Absolutely. If the above script was a cgi, you might as well reformat your disk now. If the script is meant to be a 'quick hack', evals work, they work well, and with minimal coding.
I have used unsafe hacks like this for my personal dirty scripts because I dont have the time, inclination, or need to make them luser or h4x0r safe.
As tachyon says, never use eval on user input unless this is intended to be a 'dirty quick hack'.
| [reply] |
>>"Absolutely. If the above script was a cgi, you might as well reformat your disk now. If the script is meant to be a 'quick hack', evals work, they work well, and with minimal coding."
Hi,
In the interests of clarity I'd be grateful if you could make it absolutely clear which of the "above" scripts you are referring to. I'm trying to learn and don't want to inadvertently misunderstand.
Thanks
Sid
| [reply] |
By 'above' I was refering to my previous post. If you run an eval on user input, the user input could be anything. In this case if the user instead of entering '>=' like we expect, enters ';`sudo rm -rf /`;' this will make the eval execute this extremely damaging command.
For more reasons of how to make sure you are not allowing users to do bad things, please read the perlsec manpage
| [reply] |
