Hello Monks:

I would like to add some sucurity to my forms..

I found a few regex's that might help like:

$string =~ s/\</\&lt\;/g; 
$string =~ s/\>/\&gt\;/g; 
$string =~ s/[\"\'\}\{\)\(\+]//g; 
$string =~ s/<!(?:--[\s\S]*?--\s*)?>\s*//g; 
$string =~ s/[\~\^]//g; 
$string =~ s/~!/ ~!/g; 
$string =~ s/<*(javascript)[^>]+>//gi; 
$string =~ s/(<[\s\/]*)(script\b[^>]*>)/$1x$2/gi; 
$string =~ s/<*(iframe)[^>]+>//gi; 
$string =~ s/<*(script)[^>]+>//gi;

[download]

Except I have a trillion of different form field names in different forms all through my server.

Is there a way to do a generic catch all field names loop and test them rather than specify each field name...?? I'm thinking to add a routine in a separate library, (let's say security.lib), and just add (require "security.lib";), to the forms I want to add security to.

Im using the following syntax to obtain input:

use CGI 
$q = new CGI;
$string = $q->param('string');

[download]

Thanx for your help

VirtualWeb

-----------------------------------------

Addendum

ikegami:thank you for your input, as I said, I found these regex's, I have no idea if they are properly written or if they help at all. I havent used them, I only listed them here as example of what Im trying to do. If you know better regex's to filter out possible intruders from doing any damage yuo may suggest them

hangon: Thank you for that loop, you are the one who understood best what Im trying to do. I will do some testing on your snippet.

Your Mother: thank you for suggesting the use of your HTML::Scrubber and HTML::Strip. My concern is not that people may input HTML tags, but malicious code that may delete or steal password files, download the cgi code that makes up my script, change folder names, or run shell commands, etc. At least I think i should use a black list so people wont be able to enter comands like system, exec, open, eval, rand, etc

leocharre: thanx for the suggestion of printing out CGI documentation. If you know where to find some that deals with form security I promise to read it.

In reply to Form Security by virtualweb

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.