Hi. I'm trying to get a better handle on writing to files and checking
input better before I do. :) My question is, if I arbitrarily decide that
I will not allow any filenames that have non-word characters in them, and
if I have the directory path to these files set in the script itself as
in:
my $directory = '/path/to/some/directory';
If I then go:
my $filename = $query->param('Filename');
$filename =~ s/\W+//g;
$filename =~ /(\w+)/;
$filename = $1;
and
if($filename eq ""){ die("No valid characters in filename");}
Is it safe to assume that if I don't "die", then "$directory/$filename"
will A) not have any non-word characters and B) will be a file in
$directory and C) will be more or less safe in terms of someone being able
to make me write to "../../../etc" or do similar weird things? This seems
kind of too simplistic to be safe, and I'm wondering what obvious thing(s)
I'm missing. I'm mainly concerned about getting a filename from the form,
and making it so I can use it without messing up things outside
"$directory".
Thanks!
Kristina
