Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Great ones of Perl Wisdom,

I am running a web page were the user can type text in
a textarea tag

I then want to append that string to another perl script, but
when I do all those special character mess things up big

How can I either get rid of or, even better, escape all the
special characters

Example:
user enters: Hello! My name is "BOB". This is an old\new text.

perl script is appended and looks like this...

print "Hello! my name is "BOB". This is an old
ew text.

[download]

and of coarse I get errors!
I'm looking for something most elegant :) Thanks

Replies are listed 'Best First'.
Re: All the other Characters
by chipmunk (Parson) on Dec 09, 2000 at 00:44 UTC
    I think the safest way to avoid problems with special characters is to use a single-quoted here-doc. There are no special characters in a single-quoted here doc: 
    print <<'EndOfText';
Hello! my name is "Bob". This is an old\new text.
EndOfText

    [download]
    Now all you have to worry about is a line in the text matching the here-doc terminator. Here's a way to avoid that problem, in the script that creates the code: 
    $str = 'user input';
$str =~ s/^$/ /gm;   # add a space to each blank line
print <<"EndOfGeneratedCode";
print <<''; 
$str

EndOfGeneratedCode

    [download]
    With a null terminator, a here-doc ends at the first empty line; the substitution replaces all the empty lines in the user's input with lines containing a single space.
[reply]
[d/l]
[select]
Re: All the other Characters
by rlk (Pilgrim) on Dec 09, 2000 at 00:38 UTC
    do s[\\][\\\\]g followed by s['][\']g on the input string, then use single quotes to delimit it in your print statement.

    The first substitution escapes the escape character, and the second escapes the single quote character. As these are the only two things that have special signifigance in a single quoted string, the script will print out exactly what they put in.

    ObSecurityWarning: If the text input by user A will be seen over the web by user B, you almost certainly want to strip out some or all html tags, or someone could insert something like

    <p onmouseover="location.refresh('http://www.goatse.cx')">Blah blah blah</p>

    or worse. (Though I don't know much that's worse than having to look at the goatse.cx picture.) There are CPAN modules to do this, I believe.

    --
    Ryan Koppenhaver, Aspiring Perl Hacker
    "I ask for so little. Just fear me, love me, do as I say and I will be your slave."

[reply]
[d/l]
[select]
Re: All the other Characters
by mrmick (Curate) on Dec 09, 2000 at 00:35 UTC
    Could you post the relevant code here for us to see?

    The following is based on unfounded assumptions:

    Check to see how the text is passed to the program and if the characters are still there, you know that you have to look futher.

    You could probably use a regular expression to take care of these characters but I think the simplest way would be to treat the text as a literal by using single quotes.

    Mick
[reply]
Re: All the other Characters
by AgentM (Curate) on Dec 09, 2000 at 00:40 UTC
    If you are having problems with not knowing when CGI is escaping and not escaping characters, CGI's autoescape functionality may be informative. Normally, CGI escapes ALL relevant URL information. If you find this inappropriate under your circumstances then you can disable it. However, this functionality is not toggleable.
    AgentM Systems nor Nasca Enterprises nor Bone::Easy nor Macperl is responsible for the comments made by AgentM. Remember, you can build any logical system with NOR.
[reply]

Back to Seekers of Perl Wisdom