Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot

Re: Controlling Inputted Paths in a CGI Script

by hatter (Pilgrim)
on Oct 31, 2001 at 19:10 UTC ( #122350=note: print w/replies, xml ) Need Help??

in reply to Controlling Inputted Paths in a CGI Script

I think the general rule with anything is to explicitly permit what you think is acceptable, rather than deny what you can think of that shouldn't be there. So, if you think the path should containt letters and shouldn't contain % or $ then don't use ^%$ but instead look for a-z0-9. That'll not only stop people putting in NT variables, but also disallow all sorts of weird character escape methods.

From what you've already said, you can assume your environment is fairly sanely set up, so maybe specify that the first character after a directory separator is alphanumeric, which will stop people using blah/. blah/../ blah/.somethingsomeonehid/ etc

There are probably lots of other examples of things your environment wouldn't have, so to begin with, put in something exceedingly restrictive like /([0-9a-z -]+\\)*[a-z0-9 -]+/i then come up with several real, acceptable paths and make sure they'd work. If not, loosen your definition by as little as possible to permit them to work.

the hatter

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://122350]
[chacham]: ought to be a check constraint.
[chacham]: there's a regexp function. if that can be used ina check() constraint...
[LanX]: Thanks, but no check constraints in MySQL :/
LanX 1 ..2 ..3 ..4 .. is erix missing ;-)
LanX is Discipulus reciting "Springtime for Hitler" ?

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (13)
As of 2017-03-30 15:04 GMT
Find Nodes?
    Voting Booth?
    Should Pluto Get Its Planethood Back?

    Results (360 votes). Check out past polls.