http://www.perlmonks.org?node_id=336567


in reply to List Values As Multidimensional Hash Keys

As usual, this topic comes up every three to six months, and the same "eval" solutions get posted. As usual, I've downvoted any solution I've seen (or will see) in this thread that uses "eval". It's both unnecessarily inefficient, and a big security hole as well. Please use any other solution as a starter.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Replies are listed 'Best First'.
Re: Please don't use eval for this! (was Re: List Values As Multidimensional Hash Keys)
by rdm (Hermit) on Mar 15, 2004 at 00:54 UTC
    Being of the ornery sort, this (to me) begs the following question:
    Efficiency aside, is there a *safe* way to utilise eval as a solution to this problem? Not a "good" way, or even a "mediocre" way, just safe?

    The intrinsic problem with eval is the possibility of hostile data being introduced into to evaluated string. So, is there a way of rendering the data safe?
    The obvious way is via taint checking, and string sanitising with tr or s, but is there a better way?

    Not that this should be construed as approval of the idea - the process startup overheads alone should be reason enough to do it any other way!
    -R
      Taking tachyon's sample code:
      use strict; use warnings; my %hash; my $a = '1};print "You have just been cracked!\n";#a1:a2:a3=foo'; my ($key, $val) = split /=/, $a, 2; $key =~ s/:/}{/g; eval "\$hash{$key}=\"$val\""; __END__ You have just been cracked!
      You would replace the $key =~ s/:/... line with
      use Data::Dumper; $Data::Dumper::Terse = 1; $Data::Dumper::Useqq = 1; $key = join '}{', Dumper split /:/, $key, -1;