On 9/8/06, Owen <[EMAIL PROTECTED]> wrote:
I have a cgi script that processes a form in which the following line of code
is found
$name =~ s/[`\\"_|!\$\.\^]//g; #remove likely malicious bad characters
Just wondering if there is a better way to do this as I suspect I am a little
naive.
Need to pass only the low ascii set [A..Za..z] and the ' for names like
O'Reilly. Maybe I should return the form
unless ($name =~ /[A..Za..z\']){return to form}
Any advice welcomed
TIA
Owen
Owen,
See the resorces John mentioned. To answer you're question more
specifically, though: your list is pretty limited. '*', '$' and
particularly ';' can be nasty, too, and I'm sure there are still some
we've forgottena better option would be:
$ name =~ s/[^[:alpha:]' .-]//g;
quotemeta($name);
Better, though, would be to use the taint switch. This has a couple of
advantages. First of all, it forces you to catch all the places
tainted data may be entering your script, not just the obvious ones.
Second, it forces you to extract the substring values you want from
the user input before you use it. looking for the specific things you
want to allow is almost always a more secure route that trying to
figure out the complete set of all the possible values you don't want
and trying to ignore them.
die "I'm watching you" unless $name =~ /([[:alpha:]' .-]+)/;
$goodname =~ quotemeta($1);
HTH,
-- jay
--------------------------------------------------
This email and attachment(s): [ ] blogable; [ x ] ask first; [ ]
private and confidential
daggerquill [at] gmail [dot] com
http://www.tuaw.com http://www.downloadsquad.com http://www.engatiki.org
values of β will give rise to dom!
