1. Shlomi Fish
  2. perl-begin


Shlomi Fish  committed 6ace343

Add "string eval" to the bad-elements page.

  • Participants
  • Parent commits 277f43a
  • Branches default

Comments (0)

Files changed (3)


View file
         - no way to avoid it for one argument.
         - use IPC::Run or IPC::System::Simple
     - trailing whitespace.
+    - Using string eval.
+        - Two or more /e flags for s/// .


View file
         - shell code injection.
         - cross-site-scripting / HTML injection.
         - SQL injection.
-    - Using string eval.
-        - Two or more /e flags for s/// .
     - Regular expressions starting or ending with .*? or .*
     - Using one variable for two different things
         - assignment to a different value in the middle of the subroutine.

File src/tutorials/bad-elements/index.html.wml

View file
+<item id="string-eval" h="Misusing String Eval">
+String <pdoc_f f="eval">eval</pdoc_f> allows one to compile and execute
+(possibly generated) strings as Perl expressions. While it is a powerful
+feature, there are usually better and safer ways to achieve what you want
+using string <tt>eval ""</tt>. So you should only use it, if you are an expert
+and really know what you are doing.
+Related to string eval, is using two or more <tt>/e</tt> flags in the
+<tt>s///</tt> substitution. While one /e flag is often useful (for example
+when subtituting counters like in <tt>s/#\./($i++)."."/ge</tt>) the second
+/e flags just evals the generated expression again. This can easily be done
+with using string eval inside the right-hand-side, assuming it is needed which
+is normally not the case.
 #include "bad-elements-sources.wml"