top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

system() call in perl?

+1 vote
397 views
$ perl -le 'system "df -h"'
$ perl -le 'system "df","-h"'

Both two styles work fine. What's the difference between them and which is better usage?

posted Jul 24, 2018 by Ahmed Patel

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

The first spawns a shell and can handle things like globs. This is less efficient, more powerful, and more dangerous (susceptible to code injection attacks)
The second does not spawn a shell and therefore cannot handle globs. It is also less susceptible to code injection attacks.

system "ls *.pl";

is equivalent to typing ls *.pl on the commandline.

system "ls", "*.pl";

is equivalent to typing ls *.pl on the commandline (it the glob does not expand).

Code injection attacks can occur when you use untrusted data in a something that runs code (like string eval) or executes programs (like system):

my $user = untrusted_source();
system  "ls /home/$user > /tmp/userfiles";

If the untrusted source returns "; cat /etc/passwd" then you will copy the passwd file to /tmp/userfiles instead of the intended output. It is always good to sanitize user inputs (ensure that the values are within the expected values) that are untrusted for this reason. If you are handling untrusted data often, it is a good idea to turn on taint mode in Perl. It will throw a runtime error if you try to use untrusted data without sanitizing it with a regex or other sanitizing function.

See https://perldoc.perl.org/perlsec.html#Taint-mode

answer Jul 24, 2018 by anonymous
Similar Questions
0 votes

http://perldoc.perl.org/perlembed.html

Above link only shows calling from C to perl.

What I want to do is to create a function in C code and somehow export it to my embedded perl interpreter. Then I want to be able to call this C function from perl code.

Can someone point me to a good example on how to do this?

0 votes

whats the disadvantage when calling a system command from Perl?i.e, system call to "rsync" rather than using the File::Rsync module. is it hard to control the signals between the caller process and the called system command?

+1 vote

I've a program that needs to print some fields formatted in different ways according to some conditions. The solution I come up is working, but I'm looking for a suggestion for something more elegant.

What I do is something like the following:

print sprintf $formats[ $condition ], @fields;

where $condition is the condition used to select a sprintf format string out of an array (@formats) that contains something like:

my @formats = (
 qw( %09d %-1s %03d ... )
, qw(%-4s %1s %09d %1s %-150s %-4s %011d)
, ...
);

Now, while this approach is working really fine, it is a little hard to decode, especially considering that I've got some formats with 50+ fields. I don't believe that using Perl formats is a solution, it will provide a quite longer configuration (consider I've got even fields specified as "-100%s"!).

Any suggestion to get a more readable code?

...