[Omaha.pm] Sanitizing user input to use in a regexp search.
Dan Linder
dan at linder.org
Fri Jan 22 14:55:33 PST 2010
I'm working on my inherited project trying to fix the various "search"
fields that have been added over the years. Some fields perform a
strict search for the text, others do the search but ignore case, some
allow basic ^$ regexp modifiers, others treat them as the characters
themselves. *sigh*
Since the search string being supplied is coming straight from a text
field on a web page, I don't think I should use that text directly
inside a regexp query like this, should I:
$mycgi = CGI->new();
$search_string = $mycgi->param('SEARCHSTRING);
if ($data =~ /$search_string/io) {
# Do something if we match...
}
My understanding is that it is/might be possible to get bad data
pushed into the $search_string and cause the /regexp/ call execute it
or perform something not intended. But if I
Or am I/we being overly cautious? I've tried stuffing a number of bad
things into the field and they don't seem to have any bad effect.
Thanks,
Dan
--
***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
(Who can watch the watchmen?)
-- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
-- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************
More information about the Omaha-pm
mailing list