develooper Front page | perl.beginners | Postings from March 2002

RE: unallowed chars

Thread Previous | Thread Next
From:
John
Date:
March 29, 2002 08:31
Subject:
RE: unallowed chars
Message ID:
000001c1d73f$1bc52160$6701a8c0@rochester.rr.com
Teresa,

You've been very helpful to me in the past, so the least I can do is return
the favor.

I wrote an e-mail autoresponder for my web site which filters out certain
characters. Its seems to have worked well for me, so far. I'll post the
relevant code below as an example -- you might find it useful for your
current project.

The incoming e-mail form variables from my web page are vetted through
various tests before they're processed. The first thing I do is to translate
all "<, >, {, }, [, ]" characters to either "(" or ")", as appropriate. My
theory is that I don't want any HTML tags being taken in, and will gladly
suffer whatever small degradation which might occur to someone's prose style
as a consequence. <g>

	$user_body =~ tr/<->/(-)/;
	$user_body =~ tr/{-}/(-)/;
	$user_body =~ tr/[-]/(-)/;

Then, making sure I add insult to injury, I also filter out the following:

	$user_body =~ /^([\/\?\$\(\)\;\"\',\+:%-_!=:\@\s\w.]+)$/)

This seems to work for my application wherein users are sending e-mail to me
on business-related topics. If your application concerns a subject area
wherein any of the foregoing characters are essential, then just allow 'em
to come through.

I hope this is useful as a working example.

John--


-----Original Message-----
From: Teresa Raymond [mailto:traymond@mariposanet.com]
Sent: Thursday, March 28, 2002 5:46 PM
To: Perl Beginners List
Subject: re: unallowed chars


Ok, and where are the recommended characters to disallow?  I have
tested and I know which characters are going through but I would like
to make sure I've included most of the recommended list.

>From: Teresa Raymond <traymond@mariposanet.com>
>
>>  Where in the Camel or other resource is the list of characters that
>>  we don't want people to type in.  I'm still collecting all the
>>  resources I lost from my logic board dying.  Thanks in advance.
>
>When testing data you should ALWAYS test whether the string
>contains only the allowed characters or is in the allowed format,
>never whether it contains some forbidden characters or contains
>something that you do not like.
>
>You may forget something that happens to be special in your case
>and you would open a security hole while thinking you are safe.
>
>While in the life I prefer "what is not forbidden, is allowed"
>in programming it should be the oposite.
>
>Jenda
>
>=========== Jenda@Krynicky.cz == http://Jenda.Krynicky.cz ==========
>There is a reason for living. There must be. I've seen it somewhere.
>It's just that in the mess on my table ... and in my brain
>I can't find it.
>					--- me
>
>--
>To unsubscribe, e-mail: beginners-unsubscribe@perl.org
>For additional commands, e-mail: beginners-help@perl.org


--
-------------------------------
-  Teresa Raymond             -
-  Mariposa Net               -
-  http://www.mariposanet.com -
-------------------------------
--

--
To unsubscribe, e-mail: beginners-unsubscribe@perl.org
For additional commands, e-mail: beginners-help@perl.org



Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About