Re: DBI and stored procedures

As an end user of database at work, I upload pictures and info to a website for the purpose of sales. Aside from the overall truly awful cms I am forced to endure/use, I am numerous times faced with redirect clauses in WHEREs crashes and the like on a frequent basis. It is stupendously annoying. Not to mention inefficient.

But this is beside the point. It is reasonably straightforward to untaint data, prior to checking for SQL type compatibility.

my $inputstring =~ s/^(\w+)$//;
my $username = $1;
[download]

(\w+) checks string for letters and underscore [0-9A-Za-z_] and stores the match in $1. The ^ and $ characters anchor the match to be from the begininng to the end of the string only, so no non-printable characters before or after. You may need to chomp the '\n' before putting through substition.

See perlsec for more info on Taint and laundering data, and perlrequick for an intro to regexes

Comment on Re: DBI and stored procedures Download Code

Replies are listed 'Best First'.
Re^2: DBI and stored procedures by mbethke (Hermit) on Nov 04, 2012 at 16:53 UTC
But this is beside the point. It is reasonably straightforward to untaint data, prior to checking for SQL type compatibility. `my $inputstring =~ s/^(\w+)$//; my $username = $1;` Care must be taken though that all strings are received as UTF-8, otherwise \w matches only ASCII letters and not only Mr. 毛泽东 but also Assunçăo Verônica Álvares, Renée Bäcker and Kryštůfek Březový would get thrown to the "Go away, 33vu1 haxx0r!" page if they used their proper names spelled properly :)	[reply] [d/l]
Re^3: DBI and stored procedures by Don Coyote (Hermit) on Nov 05, 2012 at 14:00 UTC
This would be the reason then, that when I looked up the \w in the regex tutorials \w is mentioned as matching alphanumerics, underscores and others. That was just a quick look. After going back just now, I can see there is a lot of information peppered throughout the various regex tutorials relating to the encoding. In the meantime, I have updated the Ascii \w in my post to include the numerics as well as the alphas. And added some links to perlsec and perlrequick.	[reply]