in reply to Untainting name data from form

Any regex you try to use for this is bound to break. Just wait until Lt. Col. J. Random von Perl-Hacker III Ph.D. visits your site. Or his brother, Rev. Prof. 1st Lt. Jim Bob Q. von Perl-Hacker Sr. LL.D. Ret.

It's better to either provide a select box input for the prefix and text boxes for first, middle, and last names or to allow freeform entry but use the input as a single piece of information. Don't try to parse it.

If you just need to untaint the data you could use a much simpler regex that just scrubs potentially unsafe characters like backticks, ampersands, pipes and such.

-sauoq
"My two cents aren't worth a dime.";

Replies are listed 'Best First'.
Re: Re: Untainting name data from form
by rob_au (Abbot) on Sep 25, 2002 at 04:27 UTC
    If you just need to untaint the data you could use a much simpler regex that just scrubs potentially unsafe characters like backticks, ampersands, pipes and such.

    I am fairly strict about adherence to some basic pragmas with regard to the handling of data and taint mode. While I am fairly sure you are aware of this already sauoq, I thought that it would be pertinent to point out for other readers that the regular expression should match only allowed characters and exclude everything else (rather than attempting to match and scrub nasty characters) - This approach provides for a tighter regime for the acceptance of user supplied information and allows your code to catch potentially nasty input down the track which may not have been anticipated or expected when the code was written.

     

[reply]

In Section Seekers of Perl Wisdom