develooper Front page | perl.beginners | Postings from February 2002

Re: Allow only letters and numbers?

Thread Previous | Thread Next
February 21, 2002 20:08
Re: Allow only letters and numbers?
Message ID:
>>>>> "Timothy" == Timothy Johnson <> writes:

Timothy> Okay, I get what you're saying about \z, sort of, assuming
Timothy> that the user doesn't have to enter in the text at a prompt
Timothy> and you're not reading from a file where lines are delimited
Timothy> by newlines, but I don't get where this ties into security.
Timothy> Could you explain?

Suppose you used that to validate a new username in $string.  And
then, having validated that, you use $string to create new line in a
passwd-like file:

   print PASSWORD $string, ":", $newpassword, ...;

oops...  I just corrupted your password file with my new user ID, and
I might be able to use that either for a denial-of-service, or perhaps
gimmick up a better user status for myself.

First rule of security -- Make sure your validations actually work!

Yours didn't, and that means that life would be sweet for the

Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<> <URL:>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See for onsite and open-enrollment Perl training!

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About