eternius has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I am trying to write a module (which it is not yet, just a test script it is) for automatically filtering input submitted from the web. I plan to mark every variable in forms or queries like i_var or a_var, which then get classified by the module.

I would be very glad, if someone with real Perl knowledge would have a look at the code and tell me what problems could arise, whether there is already a module I could use, or could give me tips about it in general.


Thanks in advance 


#!/usr/bin/perl

use strict;
use warnings;

use CGI::Lite;

my %fd;
my $DO_DIE=0;
my $VALID_NAME='[^0-9a-zA-Z_]';
my $BOUNDARY=2;
my %REGS;

####regs
$REGS{'b_'}='[^0-1]';            #bool
$REGS{'i_'}='[^0-9\.]';            #int,float?
$REGS{'a_'}='[^0-9a-zA-Z_\.]';        #alphanumeric
$REGS{'c_'}='[^0-9a-zA-Z_:\.]';        #cmd
$REGS{'p_'}='[^0-9a-zA-Z_\.\/]';    #path
$REGS{'t_'}='[.*]';            #text
#...
####/regs

%fd=&get_form_data;
# use Data::Dumper;
# print Dumper(\%fd);

sub get_form_data
{
  my $cgi = new CGI::Lite;
  my %_fd=$cgi->parse_form_data;
   foreach (keys(%_fd))
  {
    if (&is_valid_name($_))
    {  
      $_fd{$_}=$_fd{$_}[0] if ref($_fd{$_};
      my $chk=&is_valid_value($_,$_fd{$_});
      if ($chk == undef)
      {
        die "wrong value" if $DO_DIE;
        delete $_fd{$_};
      }
    }
    else
    {
      die "wrong variable name" if $DO_DIE;
      delete $_fd{$_};
    }
  }
  return %_fd;
}

sub is_valid_value
{
  my $n=shift;
  my $v=shift;
  my $v_id=substr($n,0,$BOUNDARY);
  #empty errror
  #or is empty value okay? 
  if ($n && $v_id && $REGS{$v_id})
  {
    return ($v=~/$REGS{$v_id}/)?undef:1;
  }
  else
  {
    return undef;
  }
}

sub is_valid_name
{
  return (shift =~/$VALID_NAME/)?0:1;
}

[download]
special defects

Replies are listed 'Best First'.
Re: Web Security
by Anonymous Monk on Apr 13, 2005 at 11:44 UTC
[reply]
Re: Web Security
by gam3 (Curate) on Apr 13, 2005 at 11:05 UTC
    You should be compiling your regular expretions. 
    $REGS{'b_'}=qr/[^0-1]/;
...
($v=~$REGS{$v_id})?undef:1;
    -- gam3
    A picture is worth a thousand words, but takes 200K.
[reply]
      You should be compiling you regular expretions.
      Curious. There's so much that could be improved in the code, and you come up with something very minor, of which it's questionable whether it makes any difference.

      Since you don't say why you thing the regular expressions should be compiled, my question is, how would the code improve if the regular expressions were compiled? (Hint: it won't matter performance wise).

[reply]
        Curious, you mention that soo much could be improved and yet instead of providing that you pick on an early poster. You don't even mention why there won't be a performance increase (when I think in fact there would be.) Another benifit of compiling the regex is that it looks cleaner, they are obviously regex, now you don't shove them in a string first. ;)
[reply]
        Hi,

        There's so much that could be improved in the code,


        mind telling me in detail, please :)? (would give me the opportunity to learn)

        thanks to all the other repliers, I will have have a try on the Data::FormValidator module.

        bye
        special defects
[reply]
Re: Web Security
by kprasanna_79 (Hermit) on Apr 13, 2005 at 12:02 UTC
[reply]
Re: Web Security
by mpeters (Chaplain) on Apr 13, 2005 at 14:33 UTC
    To add something to what others have said about Data::FormValidator and CGI::Application::ValidateRM, you could easily create a validation module that would provide these validation routines. It seems your main goal is to validate the type (int, float, char, etc) of the input.

    So I were you, I'd consider taking this idea and writing a module containing constraint routines for Data::FormValidator (maybe named 'Data::FormValidator::Constraints::Types' ) It would definitely be or more use to more people
[reply]

Back to Seekers of Perl Wisdom