more useful options | |
PerlMonks |
Re^2: Any security holes?by LanX (Saint) |
on Jun 26, 2022 at 17:05 UTC ( [id://11145092]=note: print w/replies, xml ) | Need Help?? |
(Just for the records, I know you know this already! =) > to help mitigate this is to escape any strings ... HTML::Entities. Yes escaping mitigates injections, and is a good first workaround. But I always prefer to strictly reject any unexpected character. For instance, why should an input "age" include anything else than digits, why "name" more than word characters plus maybe . - and ' ? Additionally: In my applications I apply the exact same regex filter rules via JS input validators on the client side too.² Like this I can not only reject broken input on the server side, but also raise an alarm about an intentional manipulation. ° All this of course plus escaping or use of placeholders on all interpreted levels (HTML,JS,Perl,SQL,...). Security is best provided by multiple lines of defense.
Cheers Rolf °) thats part of OWASP too. ²) thankfully, JS copied Perl4 Regex rules almost completely
In Section
Seekers of Perl Wisdom
|
|