Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Security?

by ajt (Prior)
on Apr 24, 2003 at 08:54 UTC ( #252803=note: print w/replies, xml ) Need Help??


in reply to Security?

As a general rule it's safer to remove anything that doesn't match a safe pattern, rather than anything that matches an unsafe pattern. There is even an old CERT warning about this with examples in several languages, including Perl.

Typically the best thing to do is run Perl in Taint mode (sometimes annoying on NT/IIS) and carefully de-taint your input data. As Abigail-II says though if it's not clear the next coder could removed it if they don't understand it.

For example, this de-taints the data, and only allows though data made up of: dashes; alpha-numerics; white-spaces and the at-symbol.

$output = $1 if ($input =~ /^([-\w\s\@]+)$/);

See also:


--
ajt

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://252803]
help
Chatterbox?
[Lady_Aleena]: LanX, for every module I've written?
[huck]: Lady_Aleena see Re: pl script in webserver and/or Re: pl script in webserver for what they use
[Lady_Aleena]: Wouldn't I have to run the modules somehow to get their %INC?
[huck]: the first one works just fine from the command line but requires editing
[huck]: but neither will handle autoloads
[Lady_Aleena]: huck, I was thinking more along the lines of just getting all my .pm files, iterating over them, and making a big ol' hash or something.

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2017-05-27 00:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?