Perl-Sensitive Sunglasses | |
PerlMonks |
Re^2: Allowing regex entries in web form to search database: Risks or gotchas?by Polyglot (Chaplain) |
on Aug 08, 2022 at 18:42 UTC ( [id://11146034]=note: print w/replies, xml ) | Need Help?? |
Yes, you're right. I'm thinking about whether to shore that up a little more or not. I actually needed a wildcard myself today, and snuck one in in my own way with:
The main reasons to guard against the wildcard privilege is simply to conserve server resources and to protect the client against a browser overload. Because there are multiple search fields that are interrelated (think of table joins), having a wildcard in one may actually be desirable so long as one of the correlated fields is sufficiently limiting. I could also address the issue, I suppose, by simply establishing a quota for max rows returned. I haven't really wanted to do that for several reasons, but, if server loading becomes problematic, that should solve it. Note, too, that those two rules are not the only ones in my list. I just picked them out for examples here. My main concern is server security. I would hate to inadvertently open myself up as a target for phishing websites, DoS attacks, etc. I've had to deal with such things in the past, but never yet from a perl script--and I'd hate to see this change. PHP, now, I haven't much good to say about its security. Blessings, ~Polyglot~
In Section
Seekers of Perl Wisdom
|
|