in reply to Re^2: Allowing regex entries in web form to search database: Risks or gotchas?
in thread Allowing regex entries in web form to search database: Risks or gotchas?
You wrote "database" so I assumed there's a database engine, say PostgreSQL, and that's where you store the data. If it were so you could either use the regexps provided by that database engine, use Perl within that engine or fetch all the data to be searched and evaluated the expressions within the script.
It's you who defines safe and you need to decide what's safe for each individual use. The point is that instead of
you should always writeif ($input =~ /something I already know is dangerous/) { die 'I refuse + to handle this!'; }
if ($input !~ /^only stuff I know is fine$/) { die 'I refuse to handle + this!'; }
I can't give you a generic "this is unsafe" or a generic "this is safe" not knowing what happens to the $input afterwards. It's something you have to do. The thing is that it's much easier to forget to list something that's dangerous, than it is to accidentally allow something that's dangerous.
Jenda
1984 was supposed to be a warning,
not a manual!