<div class="gmail_quote">On Fri, Jan 22, 2010 at 4:55 PM, Dan Linder <span dir="ltr"><<a href="mailto:dan@linder.org">dan@linder.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I'm working on my inherited project trying to fix the various "search"<br>
fields that have been added over the years. Some fields perform a<br>
strict search for the text, others do the search but ignore case, some<br>
allow basic ^$ regexp modifiers, others treat them as the characters<br>
themselves. *sigh*<br>
<br>
Since the search string being supplied is coming straight from a text<br>
field on a web page, I don't think I should use that text directly<br>
inside a regexp query like this, should I:<br>
<br>
$mycgi = CGI->new();<br>
$search_string = $mycgi->param('SEARCHSTRING);<br>
if ($data =~ /$search_string/io) {<br>
# Do something if we match...<br>
}<br>
<br>
My understanding is that it is/might be possible to get bad data<br>
pushed into the $search_string and cause the /regexp/ call execute it<br>
or perform something not intended. But if I<br>
<br>
Or am I/we being overly cautious? I've tried stuffing a number of bad<br>
things into the field and they don't seem to have any bad effect.<br></blockquote><div><br></div><div>You are definitely not being overcautious. Try searching for: </div><div><br></div><div>(?{open FH,"/etc/passwd";local $/;print <FH>})</div>
<div><br></div><div>I'd recommend running anything through quotemeta() before using it in your regexp.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Thanks,<br>
Dan<br>
<br>
--<br>
***************** ************* *********** ******* ***** *** **<br>
"Quis custodiet ipsos custodes?"<br>
(Who can watch the watchmen?)<br>
-- from the Satires of Juvenal<br>
"I do not fear computers, I fear the lack of them."<br>
-- Isaac Asimov (Author)<br>
** *** ***** ******* *********** ************* *****************<br>
_______________________________________________<br>
Omaha-pm mailing list<br>
<a href="mailto:Omaha-pm@pm.org">Omaha-pm@pm.org</a><br>
<a href="http://mail.pm.org/mailman/listinfo/omaha-pm" target="_blank">http://mail.pm.org/mailman/listinfo/omaha-pm</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Andrew Sterling Hanenkamp<br><a href="mailto:sterling@hanenkamp.com">sterling@hanenkamp.com</a><br>785.370.4454<br>