comment on

Hi all,

I have been reading up on web security and I am getting paranoid. I operate under taint mode - although I must confess to being a little in the dark as to what that means. I am using the following code in order to filter input from a form.

$TEST =~ s/[^a-zA-Z0-9@\/.,: ]//g;
[download]

It works as expected but I am trying to make it as secure as possible and found that if a user enters '<SCRIPT>' into a form field it treats it as a Java Code and it is not filtered. I assume that I could follow this with some other code and do some harm. I need to avoid this security hole and obviously I could check for the word '<SCRIPT>' in STDIN. Is there a better way of doing this and what other holes should I be aware of?

"Keep pouring your ideas"

2006-03-27 Retitled by planetscape, as per Monastery guidelines
Original title: 'audio program'

2006-10-07 Unapproved by planetscape once evidence of habitual plagiarism uncovered.

In reply to taint mode perplexities by jesuashok

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


Problems? Is your data what you think it is?
	PerlMonks