Securing HTML query strings

rooneyl has asked for the wisdom of the Perl Monks concerning the following question:

I am writing a few websites using Mason. I would like some advice on how to deal with input from forms. With each value from the form I currently pass it through a regex to check it for unsafe characters. This works well, but hampers the user interface. For example I currently disallow the use of the ' character. This has the effect of incurring spelling and grammar mistakes, such as isn't can not be entered.
I was thinking maybe the way to deal with it is to convert the characters into something non dangerous to process, and then re-convert then back when outputting.
Also I have read about converting input based on its character set into Perl's internal format, would this be an answer?
I appreciate any thoughts and help. Thanks in advance for any help.

Comment on Securing HTML query strings

Replies are listed 'Best First'.
Re: Securing HTML query strings by Lawliet (Curate) on Aug 16, 2008 at 20:18 UTC
Look at Removing malicious HTML entities (now with more questions!). I just had the same problem and the monks suggested a myriad of fixes and ways to secure input ;D I'm so adjective, I verb nouns! chomp; # nom nom nom	[reply]
Re^2: Securing HTML query strings by rooneyl (Sexton) on Aug 16, 2008 at 20:37 UTC
I have read the article, it is very good. I am not sure how helpful using any CGI modules are to me. I process the elements from the form using the code; my $form_element = $ARGS{form_element}; not my $form_element = $query->param("form_element"); (as is the case when using CGI). Is there any other modules that do something simular not relating to CGI?	[reply]
Re^3: Securing HTML query strings by Lawliet (Curate) on Aug 16, 2008 at 20:40 UTC
Yes, HTML::Entities. I just grouped it with the getting of the parameter (it is not limited to CGI forms). I'm so adjective, I verb nouns! chomp; # nom nom nom	[reply]
Re^4: Securing HTML query strings by rooneyl (Sexton) on Aug 16, 2008 at 20:55 UTC
Re^5: Securing HTML query strings by Lawliet (Curate) on Aug 16, 2008 at 20:58 UTC
Re: Securing HTML query strings by olus (Curate) on Aug 16, 2008 at 22:49 UTC
If I understand correctly, your concern is with validating info before going to the database, even though there might be some other validations (business rules?) that you are considering. If that is the case, as with the ' character, you could consider using placeholders in your queries.	[reply]
Re^2: Securing HTML query strings by rooneyl (Sexton) on Aug 17, 2008 at 19:34 UTC
My main concern is with dealing with the ' character, as it can be used for SQL injection attacks. Lawliet suggested using HTML:entities which converts the ' character into its HTML value. Could placeholders be used to stop ' being processed literally as well?	[reply]