Re: (Ovid) Re: Default CGI.pm param() if none provided?

For the second, I usually prefer this:

my $page = $q->param('page');
if (!(defined($page)) || ($page =~ /\W/)) {
    $page = 'home';
    $q->param('page', $page);
}
[download]

In CGI parameters, there's not a big speed benefit, but for longer strings it can bail out if it matches one non-word character instead of having to match the whole thing.

Another approach is to use transliteration:

if ($page =~ tr/A-Za-z0-9//dc) {
    $page = 'home';
}
[download]

Update: I missed most of the boat here, 'cuz I skipped over the bit where ybiC said "untaint". Different story altogether. Sorry buddy!

Comment on Re: (Ovid) Re: Default CGI.pm param() if none provided? Select or Download Code

Replies are listed 'Best First'.
Re: (3) Default CGI.pm param() if none provided? (clarification, success, thanks 8^) by ybiC (Prior) on Dec 28, 2000 at 07:56 UTC
My original post may not have been clear. Logic I'm shooting for goes something like this: untaint via word-characters only if /index.pl?page=illegal_character or if /index.pl?page=nonexistant_urlist send to page=error if /index.pl?page=valid_urlist send to page=requested if URL does not include /index.pl?page=something send to page=home With answers from yourself, Ovid, davorg, and a, I expect I can come up with code that will work. Thanks and ++ to all 8^) Update: Hours past my bedtime and I've got what appears to work. Round o' ++, my treat! 8^D `# (must precede untaint) # Set query param to site home if url is: # / /index.pl /index.pl? /index.pl?page param('page','home') if ! defined param('page'); # Untaint query param if ($query = param('page') =~ /^(\w+)$/) { $urlist = $1; } else { $urlist = 'error'; } # Build array of urlist files opendir DIR, "$confdir/"; my @files = grep { $_ ne '.' && $_ ne '..' && } readdir DIR; closedir DIR; unless (grep{$_ eq $urlist} @files) { $urlist = 'error'; }` [download] cheers, Don striving for Perl Adept (it's pronounced "why-bick")	[reply] [d/l]

Replies are listed 'Best First'.

Re: (3) Default CGI.pm param() if none provided? (clarification, success, thanks 8^)
by ybiC (Prior) on Dec 28, 2000 at 07:56 UTC

untaint via word-characters only
if /index.pl?page=illegal_character *or* if /index.pl?page=nonexistant_urlist
- send to page=error
if /index.pl?page=valid_urlist
- send to page=requested
if URL does *not* include /index.pl?page=something
- send to page=home

yourself

Ovid

davorg

Update: Hours past my bedtime and I've got what appears to work. Round o' ++, my treat! 8^D

# (must precede untaint)
# Set query param to site home if url is:
#    /    /index.pl    /index.pl?   /index.pl?page
param('page','home') if ! defined param('page');


# Untaint query param
if ($query = param('page') =~ /^(\w+)$/) {
    $urlist = $1;
    }
else {
    $urlist = 'error';
    }


# Build array of urlist files
opendir DIR, "$confdir/";
my @files = grep {
    $_ ne '.' &&
    $_ ne '..' &&
    }
readdir DIR;
closedir DIR;
unless (grep{$_ eq $urlist} @files) {
    $urlist = 'error';
    }
[download]

striving for Perl Adept

(it's pronounced "why-bick")

[reply]
[d/l]