Home Page   #c  #ruby-lang  #cisco  #mysql  #apache  #javascript  #java  #perl  #php  #openmoko   Wallpapers Girl
Reliable $1 Web Hosting by 3iX

Channels


#perl

01 November 2007

Total 36 pages. You are browsing page 36/36.

First :: Prev :: [...] [32] [33] [34] [35] [36] :: Next :: Last

23:45 <****> I'm hacking together a quick and dirty script to execute a few shell commands. The command takes one argument (a database name) and the `zcat db_backup.gz |mysql -u foo --password=bar $dbname`. I'm "cleansing" the $dbname = $ARGV[0] by with $dbname =~ s/\W//g; and then making sure the name starts with a certain pattern. I'm concerned about shell command injection. Do I have my bases covered or is this fundamentally bad practice? realize this i
23:45 <****> s likely a faq, but I haven't found it. thanks.
23:47 <****> rindolf: It turned out all 1337. You can adjust the number of sides of the polygon from 2 to infinity, and iterate it back and forth.
23:47 <****> roue: don't use the one argument form of system if you're concerned about injection
23:47 <****> Caelum what's the better option?
23:47 <****> roue: you can use quotemeta() to quote shell special characters
23:47 <****> roue: look at String::ShellQuote
23:47 <****> roue: system qw(command arg1 arg2 ...) for example
23:48 <****> That won't work with a pipe, though
23:48 <****> jagerman: why not? open my $pipe, "|-", qw(command arg list ...)
23:49 <****> Presumably he's looking for both input and output
23:49 <****> oh right, sorry...
23:49 <****> (Or else perhaps he shouldn't be using ``)
23:49 <****> I don't much care for the output in this case.
23:49 <****> also, you'd have to setup the plumbing between zcat and mysql
23:50 <****> this script allows the web devs to refresh their development database with a recent copy of the production db.
23:50 <****> and I wouldn't worry about it, except they're probably going to wrap it in a web form.
23:51 <****> There's a CPAN module to quote shell arguments
23:51 <****> that's the String::ShellQuote?
23:51 <****> That sounds right
23:51 <****> okay. thanks for your help folks.
23:51 <****> Great! Kopete crashes when opening the chat window.
23:51 <****> you could just use Compress::Zlib instead of zcat too
23:53 <****> why would String::ShellQuote be preferred over quotemeta() there?
23:53 <****> pravus: quotemeta is for Perl special chars.
23:53 <****> pravus: for regexen
23:53 <****> quotemeta is for perl REs
23:57 * CPAN upload: DBD-MVS_FTPSQL-0.38.13 by CBIONDO
23:57 <****> split() == split(/ /, $_) == split(' ') right?
23:59 <****> eval: [split( ' ', "here is a string" )];
23:59 <****> LeoNerd: ['here','is','a','string']
23:59 <****> eval: [split( m/ /, "here is a string" )];
23:59 <****> LeoNerd: ['here','','','is','a','','','string']
23:59 <****> ^-- no
23:59 <****> noon: except it's /\s+/
23:59 <****> eval: $_ = "here is a string"; [split]
23:59 <****> jagerman: ['here','is','a','string']
23:59 <****> eval: $_ = " here is a string "; [[split], [split ' ']]
23:59 <****> jagerman: [['here','is','a','string'],['here','is','a','string']]
--- Log closed Fri Nov 02 00:00:08 2007


Total 36 pages. You are browsing page 36/36.

First :: Prev :: [...] [32] [33] [34] [35] [36] :: Next :: Last

Tutti i nuovi CAP Italiani. Come ottenere il database completo