[Omaha.pm] Sanitizing user input to use in a regexp search.
Sterling Hanenkamp
sterling at hanenkamp.com
Fri Jan 22 15:23:58 PST 2010
On Fri, Jan 22, 2010 at 4:55 PM, Dan Linder <dan at linder.org> wrote:
> I'm working on my inherited project trying to fix the various "search"
> fields that have been added over the years. Some fields perform a
> strict search for the text, others do the search but ignore case, some
> allow basic ^$ regexp modifiers, others treat them as the characters
> themselves. *sigh*
>
> Since the search string being supplied is coming straight from a text
> field on a web page, I don't think I should use that text directly
> inside a regexp query like this, should I:
>
> $mycgi = CGI->new();
> $search_string = $mycgi->param('SEARCHSTRING);
> if ($data =~ /$search_string/io) {
> # Do something if we match...
> }
>
> My understanding is that it is/might be possible to get bad data
> pushed into the $search_string and cause the /regexp/ call execute it
> or perform something not intended. But if I
>
> Or am I/we being overly cautious? I've tried stuffing a number of bad
> things into the field and they don't seem to have any bad effect.
>
You are definitely not being overcautious. Try searching for:
(?{open FH,"/etc/passwd";local $/;print <FH>})
I'd recommend running anything through quotemeta() before using it in your
regexp.
>
> Thanks,
> Dan
>
> --
> ***************** ************* *********** ******* ***** *** **
> "Quis custodiet ipsos custodes?"
> (Who can watch the watchmen?)
> -- from the Satires of Juvenal
> "I do not fear computers, I fear the lack of them."
> -- Isaac Asimov (Author)
> ** *** ***** ******* *********** ************* *****************
> _______________________________________________
> Omaha-pm mailing list
> Omaha-pm at pm.org
> http://mail.pm.org/mailman/listinfo/omaha-pm
>
--
Andrew Sterling Hanenkamp
sterling at hanenkamp.com
785.370.4454
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/omaha-pm/attachments/20100122/ce46dbdb/attachment.html>
More information about the Omaha-pm
mailing list