Using eval is an unacceptable security bug for all online and public access programs that aquire data from external non-secured sources.
On Tue, May 30, 2017 at 09:39:53AM -0400, John Dunlap wrote: > Yes, I do that extensively and it works perfectly. It's as close to a true > Try/Catch block as we have in the perl world. However, I *usually* do not > return values from it because I use this construct to control my database > transaction demarcation and using the return value from outside of the eval > wouldn't be inside the transaction. With that said, I have had to do it > from time to time and it works just fine. Also, it is advisable to copy the > contents of $@ into a separate variable immediately. My understanding is > that this can prevent some weird concurrency issues, under some conditions. > My general form looks something like this, > > my $return = eval { > # BEGIN DATABASE TRANSACTION > > # DO SOME STUFF > > # COMMIT DATA BASE TRANSACTION > > return 'SOME VALUE'; > }; > > if ($@) { > my $error = $@; > > # ROLLBACK DATABASE TRANSACTION > > # LOG ERROR > } > > > On Tue, May 30, 2017 at 4:47 AM, James Smith <j...@sanger.ac.uk> wrote: > > > Not really a mod_perl question but you can always wrap your method call in > > an eval > > > > my $ret = eval { $m->...() }; > > > > And then check $@ for the error message > > > > > > On 2017-05-26 02:08 AM, Peng Yonghua wrote: > > > >> greeting, > >> > >> I am not so good at perl/modperl,:) > >> > >> In the handler, a method from a class was called, when something dies > >> from within the method, what's the correct way the handler will take? > >> > >> for example, I wrote this API which works right if given a correct domain > >> name: > >> > >> http://fenghe.org/domain/?d=yahoo.com > >> > >> server response: > >> var data={"registration":"domain may be taken","domain":"yahoo.com"} > >> > >> If given a wrong domain name: > >> > >> http://fenghe.org/domain/?d=yahoo.nonexist > >> > >> The server returns 500. > >> > >> This is because, in the handler, I used this module (wrote also by me): > >> > >> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0. > >> 03/lib/Net/Domain/Registration/Check.pm > >> > >> And in the module, croak like this was happened, > >> > >> croak "domain TLD not exists" unless tld_exists($tld); > >> > >> When handler meets the croak, it dies (I guess) and server returns 500. > >> > >> How will I make the full system work right? fix on handler, or the module > >> itself? > >> > >> Thanks. > >> > > > > > > > > -- > > The Wellcome Trust Sanger Institute is operated by Genome Research > > Limited, a charity registered in England with number 1021457 and a company > > registered in England with number 2742969, whose registered office is 215 > > Euston Road, London, NW1 2BE. > > > > > -- > John Dunlap > *CTO | Lariat * > > *Direct:* > *j...@lariat.co <j...@lariat.co>* > > *Customer Service:* > 877.268.6667 > supp...@lariat.co -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013