Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

comment on

( [id://3333] : superdoc . print w/replies, xml ) Need Help??
If you pass a string from a user directly to open, the person can run arbitray commands. The username ';rm nameofcgi.cgi;' for example will delete nameofcgi.cgi (on some platforms, anyways). Even if you prefix the filename with a directory, someone could use ../ to write to the directory of their choice, someone could use a \0 to prevent any appended string from being used in the filename (since the underlying C library will take the \0 to be end of string). In other words, you need to verify that the data the user has given you does not contain anything it shouldn't. You can use the -T switch (#!/usr/bin/perl -T) which will enable taint checking which will cause perl to stop when it encounters a potentially unsafe operation.

In reply to RE: Re: File Naming by nardo
in thread File Naming by Mork29

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.