You need to use a user’s input as part of a command, but you
don’t want to allow the user to make the shell run other
commands or look at other files. If you just blindly call the
backticks on a single string containing a command line, the shell
might be used to run the command. This would be unsafe.
Unlike its single-argument version, the list form of the
system function is safe from shell escapes. When
the command’s arguments involve user input from a form, never
system("command $input @files"); # UNSAFE
Write it this way instead:
system("command", $input, @files); # safer
Because Perl was designed as a glue language, it’s easy to use it to call other programs—too easy, in some cases.
If you’re merely trying to run a shell command but don’t
need to capture its output, it’s easy enough to call
system using its multiple argument form. But what
happens if you’re using the command in backticks or as part of
a piped open? Now you have a real problem, because those don’t
permit the multiple argument form that
does. The solution is to manually
exec the child processes on your own. It’s
more work, but at least stray shell escapes won’t be ruining
It’s safe to use backticks in a CGI script only if the arguments you give the program are purely internally generated, as in:
chomp($now = `date`);
But if the command within the backticks contains user-supplied input, perhaps ...