CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Regular Expressions:
using quotemeta?

 



Grizz
Deleted

Jan 16, 2001, 12:54 PM

Post #1 of 7 (2890 views)
using quotemeta? Can't Post

I would like to add a little security to a database manager without using -T since there would be too many variables
to untaint. I would like to use the quotemeta or Q on an incoming variable ie $in{'something'} .
print quotemeta('$in{'something'}'); or
print if m/\Q$in{'something'}\E/;
neither one of these look right.
I would like to clean out the variable and use it in the script that follows.
Maybe a substitution would be better but the list of metas would be long.
I'd appreciate any ideas,,,,Thanks




japhy
Enthusiast / Moderator

Jan 16, 2001, 1:36 PM

Post #2 of 7 (2887 views)
Re: using quotemeta? [In reply to] Can't Post

Either method is fine.


Code
$safe = quotemeta $some{var}; 
if ($string =~ /$safe/) { ... }

if ($string =~ /\Q$some{var}\E/) { ... }

However, if you're just using them in regexes BY THEMSELVES, forget about that, and use eq or index() instead:


Code
if ($string eq $some{var}) { 
# exact match
}

if (index($string, $some{var}) != -1) {
# $some{var} is IN $string somewhere
}

Jeff "japhy" Pinyan -- accomplished hacker, teacher, lecturer, and author


sleuth
Enthusiast

Jan 16, 2001, 1:37 PM

Post #3 of 7 (2887 views)
Re: using quotemeta? [In reply to] Can't Post

 
If you're using a hash to read all of the variables passed to you script you could do this.

foreach $key (%in){
$in{$key} =~ s!\W!!g;
}

That'll remove all NON Word characters. Just a short example, I'm sure you don't want to cut out numbers though, but you could modify it to remove the stuff you're looking to get rid of.

Sleuth



Grizz
Deleted

Jan 16, 2001, 4:42 PM

Post #4 of 7 (2885 views)
Re: using quotemeta? [In reply to] Can't Post

Thanks for the input guys.
To jeff the hacker,
I'm already using if(exact match){--} to make decisions on what comes next. Are you saying this removes
metacharacters before they can be used against you?.........Thanks again



Grizz
Deleted

Jan 18, 2001, 9:05 AM

Post #5 of 7 (2875 views)
Re: using quotemeta? [In reply to] Can't Post

I ended up trying
$in{'var'} =~ quotemeta $in{'var'};
this worked except it prints a backslash when the $var has a space..
trying to figure the proper way to use x to allow whitespace..maybe this ???
$in{'var'} =~ quotemeta $in{'var'}\x;

would also like to change this:
$in{'var1'} =~ quotemeta $in{'var1'};
$in{'var2'}=~ quotemeta $in{'var2'};
etc
etc.....to
$in{'all variables'} =~ quotemeta $in{'all variables'};

Time for another pot of coffee, Thanks....Chuck




japhy
Enthusiast / Moderator

Jan 18, 2001, 9:42 AM

Post #6 of 7 (2874 views)
Re: using quotemeta? [In reply to] Can't Post

Grr, you're doing


Code
$foo =~ quotemeta($foo);

when you should be doing


Code
$foo = quotemeta($foo);

And if you want to quotemeta() a list of variables, like all the values in a hash, you can do this:


Code
$_ = quotemeta for @hash{keys %hash}; 
# or if you're using Perl 5.6.0
$_ = quotemeta for values %hash;

Jeff "japhy" Pinyan -- accomplished hacker, teacher, lecturer, and author


cir
Novice

May 21, 2001, 7:19 AM

Post #7 of 7 (2814 views)
Re: using quotemeta? [In reply to] Can't Post

"I'm already using if(exact match){--} to make decisions on what comes next. Are you saying this removes
metacharacters before they can be used against you?........."

What's special to regexes isn't special to the eq ne etc operators. So .+ would mean anything in a regex, whereas .+ would litterally mean .+ to those other operators.

http://

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives