Thanks for the reply.
To simplify the question and not get off track I need to see if a string contains a
variable 'name' not 'value'.
If($string =~ m/\$variable/) { print "Yes \$variable exists"; }
$variable = "Hello world";
So if $string contains -> 'HI their I am $variable' it will say "Yes $variable exists"
But if string is -> 'hi there ' it will not print that
It when I do print $screen; I get "Hi their I am Hello world" so it would seem that it
is searching for the string '$variable' in the string "Hi their I am Hello world"
which it doesn't exist.
Any way to get the regex to look at $string as if I had used singles quotes to give it
value?
$string = 'HI there I am $variable'; this works but I can't do it this way
If not I'll figurte something else out.
Thanks
Dan
+++++++++++
Yeah I know the risks , but it's not just a matter of using a template system.
It has nothing to do with a template
It's smuch more complicated than that.
I'll look into using Safe. There's no way around it as that is the point of this
script.
Basically it lets someone, usually only me, to enter in perl code that does what it
does based on
Database info and input.
Basically stuff like this
if($joemama_DB ne $joemama_input && $joemama_input eq 'needs_scheduled') {
&emaillinkto("hey this guy needs scheduled!","[EMAIL PROTECTED]");
}
I already have it not executing the code if it contains 'no strict' so that they can't
turn off 'use strict 'refs'' and use references as well as some other things that will
cause them to be able to use refs and such like qualify_to_ref, etc.
There is just one variable that I don't want them to be able to use and but everytime
I check for it it is not seeing the variable name it is seeing the variable content.
This is a simplified form of what I am trying to do :
if($code =~ m/\$password/) { print "NO way pal \n"; }
# ie if $code contains the string '$password' then don't do it!
else { ...
Why not just hard code that in you ask? Because this needs to be very very flexible
and do almost anything.
Some of the more common tasks I've created subroutines for like emaillinkto, etc..
Basically , besides the security risks
-----Original Message-----
From: Jenda Krynicky [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 13, 2003 5:06 PM
To: [EMAIL PROTECTED]
Subject: Re: finding variable name in string
From: "Dan Muey" <[EMAIL PROTECTED]>
> Sorry to bother but...
> I have a script that I have to do an eval on code that someone else
> has put in a database. ...
Are you sure you want to do that? Are you sure you want them to be
able to run any code they with inside your script? Deleting files
they should not have access to, mailing themselves information they
should not see, breaking something ... ?
You should be really really really carefull with this!
And if you really must allow them to enter CODE into the database
then at least
use Safe;
with the strickest settings that allow you to do what you must.
> $code = "$row[1] $row[2] $row[3]"; # @row is from a database query
This looks that all you need is to fill in a TEMPLATE, that they do
not need to execute (read DO) something, but instead construct some
text perusing some variables.
If yould be much better to store something like this:
This is a notification that the %JobTitle% job posting
on %SiteName% will expire in %ExpireInDays% days."
in the database. Then fill some hash with the data (from the database
and elsewhere) and do:
$template =~ s/%(\w+)%/$data{$1}/g;
See some more comments below.
> so I try to do this :
>
> if($code =~ m/\$password/) { print "NO way pal \n"; } # ie if $code
> contains the string '$password' then don't do it! else {
>
> eval $code;
> .....
>
> It seems that since $code = "$row.. uses double quotes it seems that
> it is puting the value of $password there instead of the actual string
> '$password'
Why don't you print the $code somewhere so that you may look at it
and see what exactly is there? Stop guessing. Test!
Dan : I've done that and what I said before is : > it is puting the value of $password
there instead of the actual string
> '$password'
So if I print $code;
And $code is "print $password;" and $password is 'secret' then the results of print
code are : print secret;
Anyway, if the value of $row[$i] is 'print $password;' then the $code
WILL contain 'print $password;'.
Dan : It hasn't so far but maybe the print @row will shed some light,
The variable interpolation is NOT
recursive. But maybe the $row[$i] contains something unexpected.
Print out @row as well!
Jenda
===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
-- Terry Pratchett in Sourcery
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
