Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??

For clarification: I don't trust MySQL/MariaDB for regex operations. The only part it plays in this is to turn over the records, after which they are searched via Perl, and any that match following the search get formatted and returned to the client's browser. The database is entirely isolated from the regex operations.

On one hand, I might agree with your premise that one should only use what is trusted. But that word "trusted" is precisely where things get sticky. What or whom do you trust?

If you cannot define or distinguish between what is "safe and trusted" and what is "unsafe or dangerous," then you have no validity to saying "allow only what is safe."

For illustration, personally, I don't trust Microsoft Windows anymore, having had too many virus and security issues with it in the past. One time I was having some issues with my router and couldn't seem to get it to NAT the internet through to my PC, so I temporarily bypassed the router and hooked up directly to the DSL modem (looking for answers online to solve the router issue). I kid you not, within five minutes someone was beginning to control my computer, i.e. the mouse was moving and things were changing on screen without my input. I instantly disconnected the patch cable and never tried that again with a Windows computer. (I've done similar things with linux and MacOSX with no problem.) I mean, five minutes!

Because Windows itself can be problematic, should one not trust it for anything? Where does one draw the line? And this is the part that you seem unwilling to attempt to define--which is why there is a weakness in your reasoning.

There is no real-world chance of any software being 100% perfectly safe. One must, of necessity, work with a reasonable level of risk (some might use the term "manageable risk"). My original question here asked for guidance as to what the specific risk factors might be. I have had very little response, other than the CPU-crashing possibilities of wildcard use in the regex. To me, this indicates that the use of regex itself is not a big security risk, or I would have many ready to jump in with their own reports of the known risks.

Which brings it back to the essential question: Are there any big "gotchas" with allowing regex in a search field?

Blessings,

~Polyglot~

In reply to Re^4: Allowing regex entries in web form to search database: Risks or gotchas? by Polyglot
in thread Allowing regex entries in web form to search database: Risks or gotchas? by Polyglot

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (3)
As of 2024-04-19 23:18 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found