Why does my Perl backticks complain “sh: line 1: any: command not found”?

Question

I've never programmed before, but needed to write a very simple webapp for work.

I'm trying to get this dig query to work:

dig @8.8.8.8 +nocomments +nostats +noquestion +nocmd google.com any

With this bit of perl:

$dig = `/usr/bin/dig \@8.8.8.8 +nocomments +nostats +noquestion +nocmd $query any`;

Except it doesn't seem to recognize "any" at the end of dig and gives me:

sh: line 1: any: command not found

What stupidly simple thing am I doing incorrectly?

Answer 1

I bet $query has a newline in it, causing your shell to see any as a new command.

Try doing chomp $query; before your system call to remove the newline. More on chomp.

Answer 2

You should probably use dig ... '$query' so it's single-quoted when the shell sees it. If you don't do that, then the shell will interpret any metacharacters. If someone puts "; echo my_key > ~/.ssh/authorized_keys" into your web form, then you're screwed. Even if it's for internal use only, you don't want it to break if someone puts in something with spaces in the query (which the shell will word-split and pass to dig as two args.)

You can use perl's

\Q$query\E

to expand $query with ever potential metacharacter \escaped. Actually, that's much better than adding single quotes, if the query contains a single-quote character, it will break out of the quotes. Still super-easy to attack. This should fix that in into your memory.

Perl has safe ways to use the system() function to specify the args as a list of strings, avoiding /bin/sh, rather than one string to be evaluated as a shell command. This is the safest way, but there's no back-tick version of that without doing the pipe && fork && exec yourself.

Answer 3

Most likely, it's something that's in the $query variable that's breaking the command string. Can you give us an example where it is failing and giving the error? Or show a little more of your script?