Re: Tainted or bad characters

There aren't lists I know of, but the usual practice is to have a default deny...that is, strip out anything that you don't explicitly allow. So something like:

my $text = $q->param('text');

# Removes any character that ISN'T a digit, word, or space character 
$text =~ s/[^\d\w\s]+//g;
[download]

In the end though, what characters to allow/disallow all depends on how you are using the data later. Maybe you could explain this more?

Comment on Re: Tainted or bad characters Download Code

Replies are listed 'Best First'.
Re: Re: Tainted or bad characters by waswas-fng (Curate) on Jul 28, 2003 at 19:15 UTC
Just to expand on TMH's post. For instance passing a string containing ";" to a shell is a bad idea, but taking that same string and pushing it to a file that is used as a faq is not. tainted means different things to different outputs, imagine someone being able to push cascade deletes in a sql statment or ":" to data that is to be written in a /etc/passwd file. Perl's view of tainted data is anything that comes from the end user that is not checked to verify the string. Real Life tainted data is data that is not checked to verify "good" behavior in is destination. -Waswas	[reply]
Re: Re: Re: Tainted or bad characters by Anonymous Monk on Jul 28, 2003 at 22:21 UTC
This was most helpful. I was looking for a magic bullet, but , as always, it's more complicated than originally thought. To clarify, I use the data to send out as an email or store in a MySQL db for later display or manipulation. I love the quick help I get here at the monastery.	[reply]
Re: Re: Re: Re: Tainted or bad characters by diotalevi (Canon) on Jul 28, 2003 at 22:33 UTC
Ok, just be sure you're using placeholders so your external data doesn't ever become part of the SQL command. See the DBI documentation for more on that.	[reply]