How does using 'require' differ from using 'eval'? The documentation of 'require' states that it is fundamentally a fancy 'do', which is just another way of saying 'eval'. It's not the "catching errors" part that worries people. It's the fact that your required file could contain stuff you didn't expect, such as a program to send your password file to some remote system.

All in all, it is probably best to not require, include, or in any way run code that is arbitrary. 'use', being a compile time thing (outside of eval, of course) is a lot safer since the code can't really be modified while the program is running.

However, if you are operating in a "clean room" environment, such as a dedicated server with strictly controlled access, where the output from Data::Dumper cannot be tampered with in any conceivable way, I would say that eval'ing that code is not as risky as some would have you believe.

The real risk comes from running on shared systems with untrusted users who may be able to "deposit" files in your dump directory since they are using the same Web server user (i.e. nobody) and then are able to execute arbitrary code.

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.