Re: Filtering unwanted chars from input field

As CountZero says above, white listing is a much better idea in general for this type of issue since you don't have to worry so much about what you missed; it's a literal fail safe. I'd probably do something like:

sub filter {
    my $file = shift;
    if (defined $file) {
        return $file if $file =~ /[\w.]/;
    }
    return;
}
[download]

The biggest question in all this is what are you going to do with the string when you are done? For example, if you are feeding this to client display, most templates (HTML::Template) can handle the escaping for display literals without much difficulty. If you are passing it to an open, you can use the 3 argument form to avoid a lot of vulnerability. If you are passing it to system, multiple argument forms also handle escaping for you.

#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.

Comment on Re: Filtering unwanted chars from input field Download Code

Replies are listed 'Best First'.
Re^2: Filtering unwanted chars from input field by Anonymous Monk on Dec 17, 2012 at 19:56 UTC
Good stuff, this is only to accept a file been uploaded, just to make sure that the user doesn’t add weird characters like single quote or \ or /, who knows. I like the white list suggestion. Thanks!	[reply]