Perl – because programming should be fun. And 0fh in binary option a job doing Perl. Starting from the early UNIXes and before, operating systems represented code and its data as sequences of units of a certain number of bits called bytes.
Starting from Unix, which was designed to run on such machines as the 16-bit PDP-11 and later on the 32-bit VAX family of computers, this unit has generally been 8-bits. In any case, let’s suppose we have a string where we want to embed a variable containing a string. So far so good, if it’s a plain string written in plaintext. However, what if it’s in a more well-formed format? This in turn can wreck havoc upon the users of the page.
If present in web applications or web-sites, it may allow malicious crackers to set up traps to the unwary, and possibly gain access to sensitive information on the site, such as the passwords of users or administrators. And you did notice how easy it was to write code that exhibited this problem, right? Shell Command Injection – I’ve discussed it briefly in a different post about “shell variable injection” in Bash, but it also exists in Perl. A more preferable way is to use the list-forms of function arguments whenever possible. SQL injection allows a user to inject malevolent SQL code that can do untold damages in the database. It is very common in web applications and many other applications that use SQL code.
SQL syntax one can insert arbitrary SQL there and do a lot of damage. We can build its code and then use the string eval – eval “”. A lot of Perl programmers think it should be avoided at all costs, but metaprogramming has some legitimate uses. In any case, if we insert a variable into the eval “” which was input from the user without being escaped or validated, we can have an arbitrary code execution. Regular expressions’ code injection – imagine you want to see if a string is contained in a list of strings. To avoid such things one should use Perl’s three-argument open.
These are the prominent examples I can think of now, but they are not the only ones. Your program is in danger whenever it accepts text input from the user and passes it directly to an output format that has some grammar and syntax that can be influenced by this string. So how to mitigate such code injection problems? Make sure you have enough discipline to escape the input before it is passed to the output venue. If you still want to allow some user input, then make sure that you analyse it to make sure it does not contain any malicious code that can abuse the system.