mcstubbins said: Dear JAPH, what are the performance and security pros and cons of using backticks? Thank you in advance.

Good question! Let’s take your question part by part…


When you use backticks your perl process forks and execs to produce a child process that is running your command. This can be quite a lot of overhead, especially if you’re doing it a lot.

For example a program which loops through files in a directory and uses a combination of backticks, zcat, and wc -l to determine the line-lengths of gzipped text files is going to be much slower than one which avoids forking by using IO::Zlib.

As a side note on that example - Perl will intelligently attempt to execute your backticks command itself, but if it can’t it farms it out to your shell. Compare the output of:

alex@yuzu:~$ strace -f perl -E 'print `/bin/ls`;' 2>&1 | grep exec
1 execve("/usr/bin/perl", ["/usr/bin/perl", "-E", "print `/bin/ls`;"]
2 [pid  6547] execve("/bin/ls", ["/bin/ls"]


alex@yuzu:~$ strace -f perl -E 'print `/bin/ls | sort`;' 2>&1 | grep exec
1 execve("/usr/bin/perl", ["/usr/bin/perl", "-E", "print `/bin/ls | sort`;"]
2 [pid  6555] execve("/bin/sh", ["sh", "-c", "/bin/ls | sort"]
3 [pid  6556] execve("/bin/ls", ["/bin/ls"]
4 [pid  6557] execve("/usr/bin/sort", ["sort"]

See the call to /bin/sh on line 2 of the second example. Also note that the number of distinct pids (process ids) is higher. Both of these show that you are “double forking” in that example - even more overhead and an even greater performance hit.

Finally on performance, when you use backticks in a list context you read the entire output of the command into memory in Perl scalars. This can be pretty memory intensive if you get a lot of output. A better option may be to buffer the output outside Perl and then read it line by line. You can do that with the executing form of open().

#!/usr/bin/env perl

use strict;
use warnings;

open(my $fh_ls, '-|', '/bin/ls')
    or die "$!";

while (my $line = readline($fh_ls)) {
    print $line;


In this form you get to reuse the same memory space for each line as you read it in and then throw it away each time around the while loop.


The big thing to be aware of with security is that backticks allow you to evaluate commands stored in whole or in part in a scalar variable.

my ($cmd, $opts) = ('/bin/ls', '-l');
my @lines = `$cmd $opts`;

That’s fine when you’re in complete control of the contents of those variables, but if you are creating those based on some external input you might be in trouble!

my $dir = $ARGV[0];
my ($cmd, $opts) = ('/bin/ls', '-l');
my @lines = `$cmd $opts $dir`;

In this example there is very little stopping a malicious user from calling your script with an argument that executes arbitrary code on your machine. At the very least they can add arbitrary elements to @lines, which could be a security whole depending on what you do with that variable later in the script.

Also there is a tendency with backticks to forget or be lazy about checking the return value of the command you called. Always make sure to check the value of ${^CHILD_ERROR_NATIVE} (or $? on version of perl before 5.8.9) after using backticks to determine whether your command succeeded or failed.

For more information I recommend perlfaq8, perlsec, and perlvar from the standard Perl documentation.


askjapher said: WHEN Perl 6 becomes the "goto" Perl, is the Linux Standard Base likely to require that instead of Perl 5?

I’m sorry to say I don’t know anything about the decision making process of the people behind the Linux Standard Base. I suspect that even if Perl 6 becomes more popular than Perl 5 it will be a long long time until Perl 5 “goes away”, and I wouldn’t be surprised if /usr/bin/perl and /usr/bin/perl6 both became requirements (or at least common fixtures) in Linux distributions.


askjapher said: What's the best way to change the name of Perl 5?

Clearly this answer is 100% my opinion only. From best to worst I see the options as:

1. No change (5.18, 5.20, 5.22, …)

I’m happy using Perl 5.16 and upgrading every year. I’m happy that modern Linux and Mac OS X distributions come with recent versions of Perl. I think we’re doing pretty ok without a big change.

2. Pumpkin Perl (Pumpkin Perl 18, 20, 22, …)

Matt Trout made some good points. Google Pumpkin Perl to read more.

I like this change because it doesn’t imply a big change like some of the others do.

3. Perl 7 (7.0, 7.2, 7.4, …)

The number 7 is sexy, there’s no denying it. But I think this would be extremely unfair to the Perl 6 community, and just confusing to everyone else.

4. Perl 2013 (2013, 2014, 2015, …)

I’m not a big fan of year-based version numbers for a number of reasons. They don’t look like version numbers and they get confusing on boundaries. eg. in March 2015 the latest version of Perl would be Perl 2014?


Welcome to Ask JAPH

Starting off with a bit of an FAQ…

What’s this all about then?

This is a bit of an experiment, but one that I hope will work out well.

When I’m not hacking away in Perl I like to play a card game called Magic: the Gathering, and in that community there are now quite a few people running these “Ask Me Questions” style Tumblr blogs. Even the head designer of the game has one, and it’s just fantastic.

Of course I don’t claim to be anywhere near the “head designer” of Perl. Mine is more inspired by Ask a Magic Judge. I’m a guy who’s been writing Perl, presenting at Perl conferences, and generally thinking about Perl a lot over the last 10 years or so, and maybe I can help some people who are newer to Perl see what all the fuss is about :-)

Who are you?

My name is Alex Balhatchet. I’m the CTO of a London based company called Lokku, which is best known for its property search engine Nestoria.

On the CPAN I’m KAORU, so you can see I’ve got a few modules under my belt. I’ve also done some presenting at conferences in my time.

What sort of questions should I ask?

Anything you like! I’ll aim to answer questions from beginners and experts alike, although the best questions are those with short and straightforward answers.

Good example:

> What’s the best way to find my current username?

Bad example:

> How do I use Dancer to build an e-commerce website?

Hope this is of interest to some people! If you have any feedback please get in touch with me at kaoru@cpan.org