On Fri, Jan 22, 2010 at 4:55 PM, Dan Linder
<dan@linder.org> wrote:
I'm working on my inherited project trying to fix the various "search"
fields that have been added over the years. Some fields perform a
strict search for the text, others do the search but ignore case, some
allow basic ^$ regexp modifiers, others treat them as the characters
themselves. *sigh*
Since the search string being supplied is coming straight from a text
field on a web page, I don't think I should use that text directly
inside a regexp query like this, should I:
$mycgi = CGI->new();
$search_string = $mycgi->param('SEARCHSTRING);
if ($data =~ /$search_string/io) {
# Do something if we match...
}
My understanding is that it is/might be possible to get bad data
pushed into the $search_string and cause the /regexp/ call execute it
or perform something not intended. But if I
Or am I/we being overly cautious? I've tried stuffing a number of bad
things into the field and they don't seem to have any bad effect.
You are definitely not being overcautious. Try searching for:
(?{open FH,"/etc/passwd";local $/;print <FH>})
I'd recommend running anything through quotemeta() before using it in your regexp.
Thanks,
Dan
--
***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
(Who can watch the watchmen?)
-- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
-- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************
_______________________________________________
Omaha-pm mailing list
Omaha-pm@pm.org
http://mail.pm.org/mailman/listinfo/omaha-pm