radix has asked for the wisdom of the Perl Monks concerning the following question:

Sequel for my sql injection question, would someone be kind enough to help me out with a small expression that can find the following characters.

Ex-
If($mytext contains \' or ; or *)#three things:\'or; or *
exit().


Thanks in advance

Replies are listed 'Best First'.
Re: String comparision expression
by GrandFather (Saint) on Oct 09, 2007 at 19:57 UTC

    I think what you want is:

    exit () if $mytext =~ /[';*]/;

    [download]
    Perl is environmentally friendly - it saves trees
[reply]
[d/l]
Re: String comparision expression
by aquarium (Curate) on Oct 10, 2007 at 01:20 UTC
    that's a bad way of untainting...the better/safer way is to only let through the allowed character class instead, e.g. "a-zA-Z0-9 ,()+"
    you could even later use a SQL tokenizer to validate the SQL before execution. i believe there's also a DBI function to send the SQL as passthru...so it would have no chance of causing side effects in the perl (and DBI module). but you couldn't use placeholders in that.
    the hardest line to type correctly is: stty erase ^H
[reply]
Re: String comparision expression
by graff (Chancellor) on Oct 09, 2007 at 19:57 UTC
[reply]
[d/l]
Re: String comparision expression
by mwah (Hermit) on Oct 09, 2007 at 19:57 UTC
    radix
    my $badstring = q{' OR ''='};
my $goodstring = q{Jonny};

for my $string ($badstring , $goodstring) {
 if ( $string =~ /['*;]/ ) {
    print "$string is BAD!\n";
    exit
 }
 else {
    print "$string is GOOD!\n"
 }
}

    [download]
    Regards

    mwa
[reply]
[d/l]

Back to Seekers of Perl Wisdom