You (your code) poses the security risk, not the characters per se :-) By that I mean this. If all you do is insert data into a database, then retrieve and display it then the MAJOR issues are quoting the data in the SQL on insertion - handled by DBI quote method or (better) placeholders. On the display side you need to escape < > & " chars as well as deal with whitespace/newlines.
Most of those chars are really only dangerous when passed to a shell. You forgot "\000" which is the embodiment of evil. Use #!/usr/bin/perl -wT to set taint mode and perl will warn you if you are doing anything it thinks dangerous. See also perlsec.
Other issues are what do you want to store? If this is user input do you just want TEXT or are you going to allow HTML. If you are allowing HTML what are you going to do about JAVASCRIPT? If you are going to filter the time to do it is once on insertion rather than every time on display.
There is a wealth of data dealing with this on this site. Super Search for 'db placeholders' and 'escape html' and 'html to text' for lots of useful threads.
Taking a random stab it seems like you are perhaps considering writing a system where users can post data, that gets stored in a DB and then displayed. Dare I say there are 101+ implmentations of this concept on the web. You are for example looking at one right now. You might be better modifying an existing solution, perhaps even a Wiki than rolling it all yourself.
cheers
tachyon
In reply to Re: Perl cgi question
by tachyon
in thread Perl cgi question
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |