Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,

I have been reading about tainting and form checking. I'm getting the hang of it but have no clue on what to do for a TEXTAREA field that can contain up to as much as 765 characters.

What can I Do about malicious hackers trying to submit some harmful coding through the textarea? The text typed in from the text area will be stored in a MySQL database also, which concerns me about this.

This memo may have anything in it-- characters such as ; - _ # @ ' " | \ etc. Basically any character is allowed. Therefore I have no clue how my regex should be?

What security measures can I do for such a field? The text typed will be stored in a MySQL MEDIUMTEXT field.

Thank you!

Replies are listed 'Best First'.
Re: Security with a MEMO field
by rlucas (Scribe) on Jun 08, 2005 at 22:29 UTC
    merylyn is right. Use placeholders in your DBI statements (that is, do: 
     $sth = $dbh->prepare("INSERT INTO dork (memo) VALUES (?)");
 $sth->execute($unsafe_memo);

    [download]
    However, the real question is: what will you do with the memo? If all you'll ever do is put it in the DB (I doubt that), placeholders are enough. Otherwise, think ahead.

    You should examine what you want to do with it in the future (e.g. display it next to the item it is a memo for on a web page, in plain text, etc.). Then, you should take care to properly escape and/or encode it when it comes out of the database en route to its other use.

    In general, it's best to regard the database text fields as untrustworthy dens of iniquity that must be treated just like inbound CGI params (whence those fields usually came).

    Finally, there is another option: filter it coming in so that it can contain only safe things for its intended purpose. However, this should generally only be done in rather limited circumstances.

[reply]
[d/l]

      Placeholders are a good idea, and if you're worried about gremlin characters, DBI placeholders will get you through a few hoops safely - like the INSERT into the database.

      But there are many other kinds of hoops, and you will invent new ones.

      other90percent will now expound at length on data paranoia...

      Read more... (3 kB)

      Feel free to add more hoops and taint checks in reply....

[reply]
Re: Security with a MEMO field
by merlyn (Sage) on Jun 08, 2005 at 22:15 UTC
[reply]
Re: Security with a MEMO field
by djohnston (Monk) on Jun 08, 2005 at 22:18 UTC
[reply]
Re: Security with a MEMO field
by TedPride (Priest) on Jun 09, 2005 at 05:11 UTC
    Check the text for size. If it's over a certain limit, automatically reject the submission.

    Remove all carriage returns: 

    $text =~ tr/\r//d;

    [download]
    Remove leading and trailing white space: 
    $text =~ s/^ +| +$//gm;

    [download]
    Remove any extra line breaks: 
    $text =~ s/^\n+|\n+$//g;
$text =~ s/\n{3,}/\n\n/g;

    [download]
    Then submit using placeholders to take care of potential security breaches.
[reply]
[d/l]
[select]
Re: Security with a MEMO field
by monarch (Priest) on Jun 09, 2005 at 14:23 UTC
    If you don't want to use a placeholder then there is another option (from the CPAN DBD::mysql driver documentation):
      # INSERT some data into 'foo'.
  # We are using $dbh->quote() for
  # quoting the name.
  $dbh->do("INSERT INTO foo VALUES (1, " 
           . $dbh->quote("Tim") 
           . ")");

    [download]

    The quote function will put apostrophes around your quoted text, and escape any nasty characters.

[reply]
[d/l]
Re: Security with a MEMO field
by cowboy (Friar) on Jun 09, 2005 at 18:41 UTC
    As mentioned above, use placeholders (or DBI's quote method, although placeholders are preferable) to put it into the database. As you say it's a memo field, it's probably meant to be displayed again. Assuming you are displaying it as part of a web page, you can make it safe to display in a browser with HTML::Entities.
[reply]

Back to Seekers of Perl Wisdom