Re (tilly) 1: Put name and password in URLs

An addendum that I needed to look up. What do you do if the name or password contains special characters? Well the answer after reading RFC 1738 is that you just URI encode them. (Duh, I should have guessed.) You can do that with the URI::Escape module. Be warned, the default character set it escapes does not include @. Therefore you will want to use something like this:

use URI::Escape qw(uri_escape);

# Takes a list of strings, returns them escaped for use in URLs.  In s
+calar
# context will only escape the first.
sub safe_uri_escape {
  wantarray
    ? map {uri_escape($_, "\\W")} @_
    : uri_escape(shift, "\\W");
}
[download]

Comment on Re (tilly) 1: Put name and password in URLs Download Code

Replies are listed 'Best First'.
Re: Re (tilly) 1: Put name and password in URLs by vacant (Pilgrim) on Nov 10, 2003 at 05:15 UTC
I realize this thread is over two years old, but it caught my attention because I have been looking into deobfuscation of evil URLs, and I believe this is not a good idea, particularly in a HTTP URL. This field (called "userinfo") is defined in the general URI format in RFC 2396, but it is not used in the HTTP URL fomat described in RFC 2616. Nonetheless, most browsers will transmit this field unchanged, and most web servers will ignore it, but supply it to a CGI program as part of the "environment" data. Its chief application is intentionally obscuring the identity of the URL. It is used mainly by fraudsters and spammers for that purpose. In addition, here is a quote from RFC 2396: "It is clearly unwise to use a URL that contains a password which is intended to be secret. In particular, the use of a password within the 'userinfo' component of a URL is strongly disrecommended except in those rare cases where the 'password' parameter is intended to be public."	[reply]
Re: Re: Re (tilly) 1: Put name and password in URLs by tilly (Archbishop) on Nov 10, 2003 at 15:32 UTC
While I grant you that this can be used by fraudsters for social engineering purposes, it has many more legitimate uses. The most common one that I have had is to simplify automation of fetching web pages for batch jobs. You don't have to rewrite a script that used LWP::Simple or that passes stuff to lwp-request, you just add stuff to the URL. While I can't say for sure what people around here have used it for, all of the comments that I have received suggest that they used it for exactly what I did.	[reply]