note
JavaFan
Actually, $dir and $_ will only be interpreted by the shell if they contain "funny" characters. If a string passed as argument to qx or one-arg system contains just alphanums, underscores and whitespace, no shell gets involved, perl will call execv directly.
<p>
But obviously, if you don't know what $dir contains, you shouldn't use <tt>`ls $dir`</tt>, and if you aren't in control of the content of the directory you should use <tt>`cat $_`</tt>.
<p>
<em>
Even if you don't think that this is important in your case, it's better to make the code more maintainable and re-usable for security-aware scenarios.
</em>
<p>
I cannot agree with that, if only for the reasons it's often not mutually possible. More maintable code usually means <em>simpler</em> code, while code that needs to be run in a possible hostile environment tends to be more complex than code that doesn't have to run in such an environment. "More maintable" and "re-usable for security aware scenarios" are most of the time conflicting requirements.
707234
707248