Re: Safely passing CGI form data to a shell command

First, always -T! You can forget to untaint something a it can be dangerous.
Second, if you're doing a dictionary search, I would only let /\w+/ strings, throwing out anything else.

Comment on Re: Safely passing CGI form data to a shell command Select or Download Code

Replies are listed 'Best First'.
Re^2: Safely passing CGI form data to a shell command by Tommy (Chaplain) on Apr 21, 2005 at 17:08 UTC
I was fearing this would prevent searches on hypenated terms ("-") and perhaps some other possibilities I hadn't thought of... -- Tommy Butler, a.k.a. Tommy	[reply]
Re^3: Safely passing CGI form data to a shell command by deibyz (Hermit) on Apr 21, 2005 at 17:27 UTC
Ok, I should have been more specefic... I was trying to say that, instead of removing whitespace and quoting special chars, I would define what I want to match an then throw out the rest. I think that if you're searching in a dictionary for an English word, you'll only need `[A-Za-z-]` (not exactly `\w+`) if I'm not missing something. It's always safer to get less than expected than get something unexpected, and for sure you (and me) are going to miss something.	[reply] [d/l] [select]