On 6/11/2004 11:49 PM, Jupiterhost.Net wrote:
Randy W. Sims wrote:
JupiterHost.Net wrote:
Do what I'd like to be able to do is:
my ($find,$replacewith,$case) = $dbh->selectrow_array($query);
$string =~ s/$find/$replace/gi if $case; $string =~ s/$find/$replace/g if !$case;
Since a user could put whatever they want in the database what should I do to make that work so its safe?
If there are no metacharacters, you can use \Q to quote $find:
my $ci = $case ? '(?i)' : ''; $str =~ s/$ci\Q$find\E/-/g;
Thanks for the idea! One problem is they could put anything in there, metacharacters, a regex exploiting string, anything.
The above example turns all metacharacters to normal characters, making the expression safe. If you do want to allow metacharacters, you will
I do believe that will do me for now, I don't think they need to use meta characters, especially if it means being secure :)
have to scan the string looking for dangerous expressions. Dangerous expressions are those that allow arbitrary perl code to be executed. Those include: @{[...]}, ${\(...)}, (?{...}), (??{...}). Note that arbitrary spaces can appear within the first two, so you must allow for that. This list may change with future versions of perl so, is not reliable.
A better solution would be to allow only a subset of metacharacters, escaping everything else. This would requre much more effort, but would be safer. Perhaps there is a module that does something like this? If not, there should be.
I'm looking at the Regex:: modules but havn't seen anything yet (search for Regex:: on search.cpan.org and click on any link in the results, mine go now where???) , also perldoc perlre has some things about this but for now I think it'll do me :)
Thanks Randy
I'm going to have to take back what I said. After thinking about it some more and doing a little testing to verify, it seems there is no way to get any of those constructs into a regex so that it will be evaluated without an eval. All other metacharacters work normally, and I guess it does make sense that the constructs mentioned above would not work by default. You can enable the latter two by using the 're' pragma (see `perldoc re`).
To the best of my knowledge, your original code is safe.
Randy.
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
