|
I'm writing a perl CGI script, and I'm attempting to have it run in taint mode because there is form input that will eventually end up in a database query. However, it doesn't appear that my -T flag on the parent script is propagating to modules that are loaded -- this is a problem because I have all of the database interaction broken off into a module. When attempting to do $dbh->TaintIn = 1; in the module I get a Can't locate object method "TaintIn" via package "DBI::db" -- however if I setup a dbh in the parent script and set TaintIn it works fine. I'm sure I'm missing something dumb here so any help is appreciated. Also, for what it's worth this is for an internal website, so I doubt there will be any malicious intent, but I think it's worth going through all the motions regardless for many other reasons.
|
# ? Jul 7, 2010 20:03 |
|
|
# ? Apr 23, 2024 21:15 |
|
Why not use a parameterized query instead of relying on taint checking?code:
|
# ? Jul 7, 2010 20:17 |
|
I'm doing that anyway, but with taint checking it will force me to validate the data going into the database for general correctness... not just for malicious intent. Also just using bind variables may protect my scripts from SQL injection, but if I willingly insert tainted data, and someone else's script pulls from the database and queries off that data without bind variables (which will in fact be the case) then they will just end up hitting it there. It would seem to be best practice to do some sanity checking on what is being tossed into the DB.
|
# ? Jul 7, 2010 20:27 |
|
SynVisions posted:Also just using bind variables may protect my scripts from SQL injection, but if I willingly insert tainted data, and someone else's script pulls from the database and queries off that data without bind variables (which will in fact be the case) then they will just end up hitting it there.
|
# ? Jul 7, 2010 20:31 |
|
Filburt Shellbach posted:Why not use a parameterized query instead of relying on taint checking? It is but that's not why and you know that!
|
# ? Jul 7, 2010 20:48 |
|
JawnV6 posted:The pattern I always use is this: I prefer abusing list context: code:
|
# ? Jul 8, 2010 03:58 |
|
Hey guys, Perl question (duh). I have a mess of Perl code which, just for the hell of it, I've been trying to get going on Windows. If you must know, it's an AFP (yes, that's Apple Filing Protocol) stack implementation in pure Perl. It works great on Linux, FreeBSD, NetBSD, and even MacOS X (faster than Apple's client, even - I poo poo you not). However, on Windows, it gets really cranky. The network socket, for some reason, doesn't behave right. I'm using IO::Poll, in a thread, for receiving responses back from the server and dispatching the parsed response data. When I do the poll() call, though, it seems like the network socket doesn't return immediately when data hits the socket (like on every UNIX-like platform), but instead waits the whole poll() period. This slows things down a lot, making all requests take way longer than they reasonably ought to. It works eventually, just slowed way down. It doesn't make any sense to me. I've tried this with both ActiveState Perl and Strawberry Perl, with no apparent difference in the socket behavior. It's almost like Perl's somehow operating on the sockets wrong in its Winsock calls. Is this normal, or is there something special I need to do with sockets on Windows Perl to make it behave like I expect? Edit: After poking at it more, it isn't what I thought; every request I send is taking 3-10 seconds to get a response. Even simple ones that should turn around almost immediately. This makes no sense to me. Edit 2: And using Wireshark to dump packets shows that sending them out on the socket isn't actually sending the data. I'm setting the TCP_NODELAY option, so there should be no reason for the TCP stack to hold the data, and yet I can see that the packet is going out well after I send the data on the socket. Once it actually goes out, the response is almost immediate, but the question is, why is that data not going out when it should? It does everywhere else. Edit 3: Okay, looked more into it. syswrite() calls are blocking for an inordinate period of time. I don't know why, this only happens on Windows. I feel like I must be missing something terribly obvious, yet the fact that this code works perfectly on several other (not Windows) OSes would seem to indicate the problem isn't mine. What. The. Hell. Dinty Moore fucked around with this message at 17:35 on Jul 10, 2010 |
# ? Jul 10, 2010 14:26 |
|
demonbleh posted:Edit 3: Okay, looked more into it. syswrite() calls are blocking for an inordinate period of time. I don't know why, this only happens on Windows. I feel like I must be missing something terribly obvious, yet the fact that this code works perfectly on several other (not Windows) OSes would seem to indicate the problem isn't mine. What. The. Hell. Hard to say without seeing code, but it sounds like a buffering-related issue on the filehandle. Are you mixing buffered and non-buffered operations on the same handle? Beware of stuff like <FH> (which is buffered). On win32, syswrite on a socket does have a different implementation than other platforms. See PERL_SOCK_SYSWRITE_IS_SEND and pp_send in the perl source.
|
# ? Jul 12, 2010 18:28 |
|
satest3 posted:Beware of stuff like <FH> (which is buffered). Also beware of using a non-lexical filehandle
|
# ? Jul 12, 2010 20:33 |
|
satest3 posted:Hard to say without seeing code, but it sounds like a buffering-related issue on the filehandle. Are you mixing buffered and non-buffered operations on the same handle? Beware of stuff like <FH> (which is buffered). Definitely not, I am only using sysread() and syswrite() (and of course the poll() method on the IO::Poll object, and one setsockopt() call to set TCP_NODELAY). If you want to see the actual code, you can check it out at: http://svn.now.ai/filedetails.php?repname=afp-perl&path=/trunk/Net/DSI.pm That implements the actual socket access methods, so you can see what I mean. satest3 posted:On win32, syswrite on a socket does have a different implementation than other platforms. See PERL_SOCK_SYSWRITE_IS_SEND and pp_send in the perl source. I'll have to pull the source and check it out. I haven't messed with digging around in the interpreter itself, since I didn't really know what I'd be looking for anyway.
|
# ? Jul 13, 2010 05:56 |
|
You may want to try replacing calls to sysread with recv and see if that makes a difference.
|
# ? Jul 13, 2010 06:55 |
|
Otto Skorzeny posted:Also beware of using a non-lexical filehandle If by "lexical filehandle", you mean an autovivifying filehandle in a variable... well, I'm not. It's an IO::Socket::INET object (which I guess is basically a generated filehandle glob blessed into a package). Guess I don't see why that should be a problem.
|
# ? Jul 13, 2010 14:01 |
|
demonbleh posted:If by "lexical filehandle", you mean an autovivifying filehandle in a variable... well, I'm not. It's an IO::Socket::INET object (which I guess is basically a generated filehandle glob blessed into a package). Guess I don't see why that should be a problem. They're talking about "FH" vs. "$FH". The former is like a function name, a globally accessible thing from the moment when it's first used/defined, which can be used ANYWHERE in your code, completely regardless of scope. This means you can have very interesting magic behavior if you, for example, use the same file handle name in different places with different things and an open or close action fails silently. The latter is only accessible within its scope and gets destroyed at the end of it. It's completely secure.
|
# ? Jul 13, 2010 14:34 |
|
Mithaldu posted:They're talking about "FH" vs. "$FH". Okay, that's what I thought. Since I'm using IO::Socket::INET, and not just naming globs in my code, that's definitely not what's up.
|
# ? Jul 13, 2010 17:02 |
|
demonbleh posted:Definitely not, I am only using sysread() and syswrite() (and of course the poll() method on the IO::Poll object, and one setsockopt() call to set TCP_NODELAY). If you want to see the actual code, you can check it out at: Only had time to skim it briefly... Could you try adding binmode($conn) after your socket is created? Just a wild guess. I think sockets are O_BINARY by default in recent perls though. Also remember that sysread can return a number different than the length you supplied it. And sysread/syswrite could return undef. Maybe check the return value of setsockopt too? code:
|
# ? Jul 13, 2010 19:52 |
|
Mithaldu posted:They're talking about "FH" vs. "$FH". That's kind of true. It is a package global. It references the IO slot of the typeglob stored in the symbol table of the current package. Try this... code:
quote:This means you can have very interesting magic behavior if you, for example, use the same file handle name in different places with different things and an open or close action fails silently. This is also true of lexicals, no? quote:The latter is only accessible within its scope and gets destroyed at the end of it. It's completely secure. That's kind of true. A lexical scalar can be passed out of its scope and exist after perl leaves the scope in which it was defined. Leaving a scope only decrements the reference count of SVs that were declared in that frame. Perl will only destroy a scalar whose reference count is zero, be it lexical or dynamic. Also, be aware that lexicals are scoped to the current file.... code:
|
# ? Jul 13, 2010 21:38 |
|
satest3 posted:Could you try adding binmode($conn) after your socket is created? Just a wild guess. I think sockets are O_BINARY by default in recent perls though. Actually tried that in a local copy, thinking it might make a difference (right after I call setsockopt(), for reference). Didn't change the behavior, still got the same delays during syswrite()s. Also the packets do go out correctly (based on wireshark's captures), and the responses are correct; it's just the delay that's messing things up. satest3 posted:Also remember that sysread can return a number different than the length you supplied it. And sysread/syswrite could return undef. Maybe check the return value of setsockopt too? Yeah, after reading more recently about them, I realized that that's something to consider. Hasn't affected me thus far, but definitely could. I'll have to work that in; fortunately there are only a handful of places where I'm calling sysread() and syswrite().
|
# ? Jul 13, 2010 21:44 |
|
satest3, you're basically right with everything in there, but let me just say I was thinking about lexical variables in sub routines. Global lexical variables are nasty and should be avoided, or only used for very specific purposes.
|
# ? Jul 13, 2010 21:44 |
|
I'm trying to follow an online tutorial for learning Perl (no programming experience) and I'm hitting a hurdle while doing an example.code:
code:
|
# ? Jul 14, 2010 03:02 |
|
Hughmoris posted:
You want parentheses not braces.
|
# ? Jul 14, 2010 03:06 |
|
Filburt Shellbach posted:You want parentheses not braces. That did it, thank you.
|
# ? Jul 14, 2010 03:08 |
|
satest3 posted:I like you. What are the braces referring to?
|
# ? Jul 14, 2010 03:32 |
|
Triple Tech posted:What are the braces referring to? They're vim fold markers.
|
# ? Jul 14, 2010 04:58 |
|
demonbleh posted:They're vim fold markers. why not just enable perl_fold in vim?
|
# ? Jul 14, 2010 05:59 |
|
Fenderbender posted:why not just enable perl_fold in vim? I'm not crazy about syntax-based folding. I use foldmethod=marker foldlevel=1. I mostly use folding for PHP though, and really only to wrap functions/methods.
|
# ? Jul 15, 2010 16:15 |
|
satest2 posted:I'm not crazy about syntax-based folding.
|
# ? Jul 15, 2010 16:32 |
|
I'm a complete noob when it comes to languages, I'm just starting perl. Can someone break down this if line character by character from a loop that determines whether or not STDIN is a numeric value: if ( $input =~ /^[\+-]*[0-9]*\.*[0-9]*$/ && $input !~ /^[\. ]*$/ ) {
|
# ? Jul 15, 2010 22:17 |
|
You should really just read up on regular expressions. Anyway. ^ means "start of line", [] surround sets of characters, * means "arbitrarily many of what comes before", $ means "end of line". So it matches if the line is arbitrarily many +/- characters (probably a mistake), followed by arbitrarily many digits ('-' inside [] means a range of characters), followed by arbitrarily many '.'s, followed by arbitrarily many digits, *and* if the the line doesn't just contain arbitrarily many '.'s or spaces. So the lines '++-+....9321' and '--9019.' are okay, but '.' isn't.
|
# ? Jul 15, 2010 22:34 |
|
I need some help, I'm calling a program from a perl script using backticks, and this secondary program needs to read data from STDIN... I'm sure I read somewhere that the parent program's STDOUT is essentially the same as the 2nd program's STDIN, but I can't get it to work. here's essentially what my code is, I want to capture the output of the command in result: code:
|
# ? Jul 17, 2010 04:27 |
|
I think you need to use 'open' to do that:code:
|
# ? Jul 17, 2010 04:36 |
|
Thank you that helped immensely. I'm finding Perl syntax to be very strange.... and frustrating.
|
# ? Jul 17, 2010 04:59 |
|
Ninja Rope posted:You may want to try replacing calls to sysread with recv and see if that makes a difference. Sorry, tried this. This didn't help, if anything it amplified the problem.
|
# ? Jul 17, 2010 05:48 |
|
Pweller posted:I need some help, I'm calling a program from a perl script using backticks, and this secondary program needs to read data from STDIN... You could give IPC::Run3 a try.
|
# ? Jul 17, 2010 09:01 |
|
Pweller posted:I'm finding Perl syntax to be very strange.... and frustrating. This is less about Perl's syntax and more about how non-shared-memory IPC works. Backticks aren't "real" bi-di IPC at all. Like in the shell, backticks do not open a channel to the subordinate process. They simply launch the command, wait for it to exit, then store whatever output there was in the variable you specify. Things like IPC::Run3 and IPC::Open2 create bidirectional channels, which is what you want, but they do still have pitfalls (especially IPC::Open2, which is a recipe for deadlock unless you have control over what BOTH sides are sending, and know that every filehandle is autoflushing). They're pretty simple to use, though. Probably the safest and most flexible (but definitely the most complex) answer is using IO::Select and IO::Socket to do IPC via the networking stack instead of pipes.
|
# ? Jul 18, 2010 16:32 |
|
The Perl 6 project turned 10 today; the Rakudo (parrot) implementation turned negative 2 weeks old.
|
# ? Jul 19, 2010 00:24 |
|
Pretty good post describing the project's history http://use.perl.org/~masak/journal/40451
|
# ? Jul 19, 2010 00:56 |
|
So a quick question. I've got the following code to get the location of gzcat and remove the trailing linebreak: code:
Any clues? EDIT:- Further checking shows that this is due to the backticks returning an error, despite the command running successfully, I'll check further... Rohaq fucked around with this message at 18:01 on Jul 21, 2010 |
# ? Jul 21, 2010 17:58 |
|
Rohaq posted:backticks I'd suggest you use Capture::Tiny like so: code:
|
# ? Jul 21, 2010 18:19 |
|
Mithaldu posted:I'd suggest you use Capture::Tiny like so: I've taken to using the system command for now, but I need to redirect the output of STDOUT temporarily to my variable to make it work - Any ideas on how to do this?
|
# ? Jul 21, 2010 18:44 |
|
|
# ? Apr 23, 2024 21:15 |
|
Rohaq posted:This will be running on a server where it can be a pain to get new modules installed. Try and see if you can just upload this module and use it directly: http://cpansearch.perl.org/src/DAGOLDEN/Capture-Tiny-0.08/lib/Capture/Tiny.pm Alternatively, this will allow you to privately install modules: http://search.cpan.org/~getty/local-lib-1.006005/lib/local/lib.pm
|
# ? Jul 21, 2010 18:54 |