Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

RE: CGI Security and the null byte problem

by extremely (Priest)
on Oct 26, 2000 at 10:39 UTC ( #38560=note: print w/replies, xml ) Need Help??


in reply to CGI Security and the null byte problem

You left out a simple example or two on how to specify what you will allow. So, Allow me =)
my $file = $cgi->param( 'file' ); my $data; # # One way # $file =~ s#[^A-Z0-9a-z.]+##g; #strip down to alphanum and period # can change the meaning of what people post. $file =~ m#(.*)#; #evil evil evil if you haven't striped. $data = $1 || ""; #not really necessary to have alternate, nice tho. # # Alternate way # $file =~ m#([A-Z0-9a-z.]+)#; #grab first good chunk. # can potentially ignore a lot of data and boggle the user $data = $1 | ""; #you really want this now, match can fail. # # My "best" way # die "Eeeek! Evil data sent to the 'file' parameter!\n" if ($file =~ m#[^A-Z0-9a-z.]#); #now use the first method above to detaint anyway...

--
$you = new YOU;
honk() if $you->love(perl)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://38560]
help
Chatterbox?
[Discipulus]: passed choroba but with one hole more
[ambrus]: Corion, moritz: haha. I moved to different rooms like eight times in the five year's working here so far.
[ambrus]: Discipulus: ouch
[Discipulus]: eh, at the end i cannot compete with brother choroba, i just profited he is at lunch
[pra]: What is the best way to determine if a given string is a valid color?
[Discipulus]: context pra? tk html console naturla language?
[Corion]: Or HTML color like #c0ffee ?

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (12)
As of 2017-10-17 11:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My fridge is mostly full of:

















    Results (226 votes). Check out past polls.

    Notices?