[Omaha.pm] Sanitizing user input to use in a regexp search.

[Dan Linder <dan@linder.org>]

I'm working on my inherited project trying to fix the various "search"
fields that have been added over the years.  Some fields perform a
strict search for the text, others do the search but ignore case, some
allow basic ^$ regexp modifiers, others treat them as the characters
themselves.   *sigh*

Since the search string being supplied is coming straight from a text
field on a web page, I don't think I should use that text directly
inside a regexp query like this, should I:

    $mycgi = CGI->new();
    $search_string = $mycgi->param('SEARCHSTRING);
    if ($data =~ /$search_string/io) {
        # Do something if we match...
    }

My understanding is that it is/might be possible to get bad data
pushed into the $search_string and cause the /regexp/ call execute it
or perform something not intended.  But if I

Or am I/we being overly cautious?  I've tried stuffing a number of bad
things into the field and they don't seem to have any bad effect.

Thanks,
Dan

-- 
***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
    (Who can watch the watchmen?)
    -- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
    -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************