On Thu, 20 Oct 2005 03:46:43 +0200, Rhesa Rozendaal wrote:
Hi Rhesa
> I do hope you're in a tightly controlled environment, or that
> you're properly untainting and detoxifying $prefix. I'd suggest
I should give a fuller answer to this, so...
For beginners not familiar with what this detoxifying might consist of, here's
the sub which I pass all CGI form field data thru, before, say, passing it to
Data::FormValidator:
# -----------------------------------------------
sub clean_user_data
{
my($self, $data, $max_length, $integer) = @_;
$data = '' if (! defined($data) || ($data !~
/^([^`\x00-\x1F\x7F-\x9F]+)$/) ||
(length($1) == 0) || (length($1) > $max_length) );
$data = '' if ($data =~ /<script\s*>.+<\s*\/?\s*script\s*>/i); #
http://www.perl.com/pub/a/2002/02/20/css.html.
$data = '' if ($data =~ /<(.+)\s*>.*<\s*\/?\s*\1\s*>/i);
# Ditto, but much
more strict.
$data =~ s/^\s+//;
$data =~ s/\s+$//;
$data = 0 if ($integer && (! $data || ($data !~ /^[0-9]+$/) ) );
$data;
} # End of clean_user_data.
# --------------------------------------------------
$data is from $self -> query() -> param('some_field_name');
$max_length comes from a hash initialized in sub setup, which uses the run mode
as the outer key and field name as the inner key and looks like:
qr/find_key_surname/ =>
{
size => 60,
type => 'string',
},
--
Cheers
Ron Savage, [EMAIL PROTECTED] on 20/10/2005
http://savage.net.au/index.html
Let the record show: Microsoft is not an Australian company
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/[email protected]/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
