Please don't use eval for this! (was Re: List Values As Multidimensional Hash Keys)

As usual, this topic comes up every three to six months, and the same "eval" solutions get posted. As usual, I've downvoted any solution I've seen (or will see) in this thread that uses "eval". It's both unnecessarily inefficient, and a big security hole as well. Please use any other solution as a starter.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Comment on Please don't use eval for this! (was Re: List Values As Multidimensional Hash Keys)

Replies are listed 'Best First'.
Re: Please don't use eval for this! (was Re: List Values As Multidimensional Hash Keys) by rdm (Hermit) on Mar 15, 2004 at 00:54 UTC
Being of the ornery sort, this (to me) begs the following question: Efficiency aside, is there a safe way to utilise eval as a solution to this problem? Not a "good" way, or even a "mediocre" way, just safe? The intrinsic problem with eval is the possibility of hostile data being introduced into to evaluated string. So, is there a way of rendering the data safe? The obvious way is via taint checking, and string sanitising with tr or s, but is there a better way? Not that this should be construed as approval of the idea - the process startup overheads alone should be reason enough to do it any other way! -R	[reply]
Re: Re: Please don't use eval for this! (was Re: List Values As Multidimensional Hash Keys) by ysth (Canon) on Mar 15, 2004 at 01:07 UTC
Taking tachyon's sample code: `use strict; use warnings; my %hash; my $a = '1};print "You have just been cracked!\n";#a1:a2:a3=foo'; my ($key, $val) = split /=/, $a, 2; $key =~ s/:/}{/g; eval "\$hash{$key}=\"$val\""; __END__ You have just been cracked!` [download] You would replace the `$key =~ s/:/...` line with `use Data::Dumper; $Data::Dumper::Terse = 1; $Data::Dumper::Useqq = 1; $key = join '}{', Dumper split /:/, $key, -1;` [download]	[reply] [d/l] [select]


Problems? Is your data what you think it is?
	PerlMonks