Do what I'd like to be able to do is:
my ($find,$replacewith,$case) = $dbh->selectrow_array($query);
$string =~ s/$find/$replace/gi if $case; $string =~ s/$find/$replace/g if !$case;
Since a user could put whatever they want in the database what should I do to make that work so its safe?
If there are no metacharacters, you can use \Q to quote $find:
my $ci = $case ? '(?i)' : ''; $str =~ s/$ci\Q$find\E/-/g;
Thanks for the idea! One problem is they could put anything in there, metacharacters, a regex exploiting string, anything.
The above example turns all metacharacters to normal characters, making the expression safe. If you do want to allow metacharacters, you will have to scan the string looking for dangerous expressions. Dangerous expressions are those that allow arbitrary perl code to be executed. Those include: @{[...]}, ${\(...)}, (?{...}), (??{...}). Note that arbitrary spaces can appear within the first two, so you must allow for that. This list may change with future versions of perl so, is not reliable.
A better solution would be to allow only a subset of metacharacters, escaping everything else. This would requre much more effort, but would be safer. Perhaps there is a module that does something like this? If not, there should be.
So i need a way to make it safe to run the variable's in the regex without knowing beforehand what's in it.
Does that make sense? Somthing like this:
# $string, $find, $replace all my() and strictified earlier ;p
my $find_safe = make_var_regex_safe($find);
my $replace_safe = make_var_regex_safe($replace);
$string =~ s/$find_safe/$replace_safe/g;
# we won't worry about the case yet, although I do like that idea Randy :) thanks!
Randy.
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
