CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
Search Posts SEARCH
Who's Online WHO'S
Log in LOG

Home: Perl Programming Help: Beginner:
Strip characters



Dec 4, 2000, 8:50 AM

Post #1 of 3 (481 views)
Strip characters Can't Post

What characters should be stripped from an input fiedl for a script so the input field can not be used for abuse of the script??


Jan 7, 2001, 5:15 AM

Post #2 of 3 (476 views)
Re: Strip characters [In reply to] Can't Post

No stripping required :) Here's all you need:

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
if ($INPUT{$name}) { $INPUT{$name} = $INPUT{$name}.",".$value; }
else { $INPUT{$name} = $value; }

Best regards,


$500/day for webmasters!


Jan 7, 2001, 6:23 AM

Post #3 of 3 (474 views)
Re: Strip characters [In reply to] Can't Post

It's much easier to tell your script to check for data that is ok than to try to tell it what not to accept.

perldoc perlsec goes into the details of untainting data.

### From perlsec

Here's a test to make sure that the data contains nothing but ``word'' characters (alphabetics, numerics, and underscores), a hyphen, an at sign, or a dot.

if ($data =~ /^([-\@\w.]+)$/) {

$data = $1; # $data now untainted

} else {

die "Bad data in $data"; # log this somewhere

This is fairly secure because /\w+/ doesn't normally match shell metacharacters, nor are dot, dash, or at going to mean something special to the shell. Use of /.+/ would have been insecure in theory because it lets everything through, but Perl doesn't check for that. The lesson is that when untainting, you must be exceedingly careful with your patterns. Laundering data using regular expression is the only mechanism for untainting dirty data, unless you use the strategy detailed below to fork a child of lesser privilege.

The example does not untaint $data if use locale is in effect, because the characters matched by \w are determined by the locale. Perl considers that locale definitions are untrustworthy because they contain data from outside the program. If you are writing a locale-aware program, and want to launder data with a regular expression containing \w, put no locale ahead of the expression in the same block. See SECURITY in the perllocale manpage for further discussion and examples.


see perldoc perlsec for more info



Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives