in reply to Security?

The first rule of writing secure web applications is to never trust your input. If your code assumes that the value of a particular parameter is in a particular format then you should use a regex or similar to confirm/enforce that assumption. There are plenty of other potentially dangerous operations apart from those you list. Enabling Perl's taint mode forces the programmer to think more about what input they should accept and what operations are potentially dangerous.

Having said that, the subroutine you supply does not confirm that input matches expectations. Instead, it looks for some bizarre literal sequence of characters and removes them if they're there. This would do absolutely nothing to achieve the stated purpose of ensuring that "nobody can crack the box through his scripts".

Replies are listed 'Best First'.
Re: Re: Security?
by perlplexer (Hermit) on Apr 24, 2003 at 01:59 UTC
    I think the intent there was to do a tr/// and remove "unsafe" characters; e.g., |, >, <, etc. But the guy apparently had no clue what he was doing. ;)
    The sub was obviously not tested; otherwise, it would be obvious that it doesn't work...

    --perlplexer
[reply]

      I also initially wondered whether it was meant to be a tr/// rather than a s/// but the presence of &#91; in the pattern seemed to contradict that assumption. The fact that square brackets were being treated as potentially evil led me to wonder if the code had originated in a Tcl script :-)

[reply]
[d/l]
      Actually, he's been using it in his scripts for over a year now.

      antirice    
      The first rule of Perl club is - use Perl
      The       ith rule of Perl club is - follow rule i - 1 for i > 1

[reply]
        Well, you may as well tell him that this sub wasted a lot of CPU cycles. ;) It compiles and it runs but it doesn't do anything useful.

        --perlplexer
[reply]

In Section Seekers of Perl Wisdom