Re: Secure Form Script?
From: Stephen Samuel (samuel_at_bcgreen.com)
Date: 05/16/04
- Previous message: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: Secure Form Script?"
- Maybe in reply to: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 May 2004 08:21:23 -0700 To: Glynn Clements <glynn.clements@virgin.net>
Glynn Clements wrote:
> Bryce Porter wrote:
>>running as. Directly executing anything is a big risk no matter how you
>>look at it, as far as I'm concerned.
>
> No. The risk isn't in *directly* executing a program; it's executing
> it via the shell.
....
> OTOH, if you pass a scalar or a single-element array, it may be passed
> to the shell (if the string contains no shell metacharacters, perl
> will use its own trivial shell emulation instead). Similarly,
> backticks use the shell.
>
I'd further say that what's dangerous is passing a stranger-provided
string to the shell. Passing an unsanitized stranger-provided
string to the shell, however isn't dangerous. It would be simply
insane.
-- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.
- Previous message: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: Secure Form Script?"
- Maybe in reply to: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
