develooper Front page | perl.beginners | Postings from March 2002

RE: unallowed chars

Thread Previous | Thread Next
March 29, 2002 08:31
RE: unallowed chars
Message ID:

You've been very helpful to me in the past, so the least I can do is return
the favor.

I wrote an e-mail autoresponder for my web site which filters out certain
characters. Its seems to have worked well for me, so far. I'll post the
relevant code below as an example -- you might find it useful for your
current project.

The incoming e-mail form variables from my web page are vetted through
various tests before they're processed. The first thing I do is to translate
all "<, >, {, }, [, ]" characters to either "(" or ")", as appropriate. My
theory is that I don't want any HTML tags being taken in, and will gladly
suffer whatever small degradation which might occur to someone's prose style
as a consequence. <g>

	$user_body =~ tr/<->/(-)/;
	$user_body =~ tr/{-}/(-)/;
	$user_body =~ tr/[-]/(-)/;

Then, making sure I add insult to injury, I also filter out the following:

	$user_body =~ /^([\/\?\$\(\)\;\"\',\+:%-_!=:\@\s\w.]+)$/)

This seems to work for my application wherein users are sending e-mail to me
on business-related topics. If your application concerns a subject area
wherein any of the foregoing characters are essential, then just allow 'em
to come through.

I hope this is useful as a working example.


-----Original Message-----
From: Teresa Raymond []
Sent: Thursday, March 28, 2002 5:46 PM
To: Perl Beginners List
Subject: re: unallowed chars

Ok, and where are the recommended characters to disallow?  I have
tested and I know which characters are going through but I would like
to make sure I've included most of the recommended list.

>From: Teresa Raymond <>
>>  Where in the Camel or other resource is the list of characters that
>>  we don't want people to type in.  I'm still collecting all the
>>  resources I lost from my logic board dying.  Thanks in advance.
>When testing data you should ALWAYS test whether the string
>contains only the allowed characters or is in the allowed format,
>never whether it contains some forbidden characters or contains
>something that you do not like.
>You may forget something that happens to be special in your case
>and you would open a security hole while thinking you are safe.
>While in the life I prefer "what is not forbidden, is allowed"
>in programming it should be the oposite.
>=========== == ==========
>There is a reason for living. There must be. I've seen it somewhere.
>It's just that in the mess on my table ... and in my brain
>I can't find it.
>					--- me
>To unsubscribe, e-mail:
>For additional commands, e-mail:

-  Teresa Raymond             -
-  Mariposa Net               -
- -

To unsubscribe, e-mail:
For additional commands, e-mail:

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About