I only had problems with executing script from web.
It's for sure that I will blok any char ,accept numbers letters and
underline.
My problem was ,that I coudn't force script to accept variable input and
execute command (from web).
now everything works fine,it was mestake in command syntax.
Thanks
Alen
----- Original Message -----
From: "Curtis Poe" <[EMAIL PROTECTED]>
To: "Camilo Gonzalez" <[EMAIL PROTECTED]>; "'Alen Sarkinovic'"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, June 20, 2001 9:40 PM
Subject: RE: need code
> --- Camilo Gonzalez <[EMAIL PROTECTED]> wrote:
> > try
> >
> > system (/bin/somecommand $variable);
> >
> > or even
> >
> > `somecommand $variable`;
> >
> > -----Original Message-----
> > From: Alen Sarkinovic [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, June 20, 2001 2:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: need code
> >
> >
> > Hi
> > Can anybody send me code of perl that will take input from web and
execute
> > Unix command ,I mean SYSTEM(/bin/somecommand $variable)
> >
> > I have try everything but still not able to execute from web
,everything
> > goes fine from command line :perl -T script.pl variable=blabla
>
>
> Be very, very careful about this! It's extremely dangerous to run
arbitrary commands with
> system(). If you already know the command you want to run, try using the
multiple argument form
> of system (untested code):
>
> #/usr/bin/perl -wT
> use strict;
> use CGI qw/:standard/;
>
> my $program = '/bin/somecommand';
> my $dirty_variable = param( 'variable' );
>
> # untaint the variable
> # you'll need to create your own regex if \w+ does not
> # meet your needs
> my ( $variable ) = ( $dirty_variable =~ /^(\w+)$/ );
>
> if ( ! $variable ) { some_error_routine( $variable ) }
>
> my $bad_status = system( $program, $variable );
>
> if ( $bad_status ) { die "$program returned a bad error code: $?" }
>
> Using the multiple argument form of 'system' forces the arguments to be
passed to the program and
> not to the shell, where they could be interpreted in unexpected (and
possibly dangerous) ways.
>
> Absolutely do NOT use backticks unless it is critical that you capture the
output of the command.
> Backticks are extremely dangerous if you are allowing any user data near
the shell.
>
> Cheers,
> Curtis Poe
>
> =====
> Senior Programmer
> Onsite! Technology (http://www.onsitetech.com/)
> "Ovid" on http://www.perlmonks.org/
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
