Front page | perl.beginners |
Postings from March 2002
RE: unallowed chars
Thread Previous
|
Thread Next
From:
Teresa Raymond
Date:
March 29, 2002 10:02
Subject:
RE: unallowed chars
Message ID:
p05100300b8ca5bea9482@[64.108.206.95]
Thank you John. Jenna I know what you were trying to say but there
is a list somewhere of characters that for security reasons oughtn't
be allowed. I'm sorry if it seemed like I didn't read your message,
I did but I remember about six months ago someone posted this list
I'm talking about. I didn't print it or back it up and my iMac's
logic board fried. Anyhow, sorry for the offense.
>Teresa,
>
>You've been very helpful to me in the past, so the least I can do is return
>the favor.
>
>I wrote an e-mail autoresponder for my web site which filters out certain
>characters. Its seems to have worked well for me, so far. I'll post the
>relevant code below as an example -- you might find it useful for your
>current project.
>
>The incoming e-mail form variables from my web page are vetted through
>various tests before they're processed. The first thing I do is to translate
>all "<, >, {, }, [, ]" characters to either "(" or ")", as appropriate. My
>theory is that I don't want any HTML tags being taken in, and will gladly
>suffer whatever small degradation which might occur to someone's prose style
>as a consequence. <g>
>
> $user_body =~ tr/<->/(-)/;
> $user_body =~ tr/{-}/(-)/;
> $user_body =~ tr/[-]/(-)/;
>
>Then, making sure I add insult to injury, I also filter out the following:
>
> $user_body =~ /^([\/\?\$\(\)\;\"\',\+:%-_!=:\@\s\w.]+)$/)
>
>This seems to work for my application wherein users are sending e-mail to me
>on business-related topics. If your application concerns a subject area
>wherein any of the foregoing characters are essential, then just allow 'em
>to come through.
>
>I hope this is useful as a working example.
>
>John--
>
>
>-----Original Message-----
>From: Teresa Raymond [mailto:traymond@mariposanet.com]
>Sent: Thursday, March 28, 2002 5:46 PM
>To: Perl Beginners List
>Subject: re: unallowed chars
>
>
>Ok, and where are the recommended characters to disallow? I have
>tested and I know which characters are going through but I would like
>to make sure I've included most of the recommended list.
>
>>From: Teresa Raymond <traymond@mariposanet.com>
>>
>>> Where in the Camel or other resource is the list of characters that
>>> we don't want people to type in. I'm still collecting all the
>>> resources I lost from my logic board dying. Thanks in advance.
>>
>>When testing data you should ALWAYS test whether the string
>>contains only the allowed characters or is in the allowed format,
>>never whether it contains some forbidden characters or contains
>>something that you do not like.
>>
>>You may forget something that happens to be special in your case
>>and you would open a security hole while thinking you are safe.
>>
>>While in the life I prefer "what is not forbidden, is allowed"
>>in programming it should be the oposite.
>>
>>Jenda
>>
>>=========== Jenda@Krynicky.cz == http://Jenda.Krynicky.cz ==========
> >There is a reason for living. There must be. I've seen it somewhere.
> >It's just that in the mess on my table ... and in my brain
> >I can't find it.
> > --- me
>>
>>--
>>To unsubscribe, e-mail: beginners-unsubscribe@perl.org
>>For additional commands, e-mail: beginners-help@perl.org
>
>
>--
>-------------------------------
>- Teresa Raymond -
>- Mariposa Net -
>- http://www.mariposanet.com -
>-------------------------------
>--
>
>--
>To unsubscribe, e-mail: beginners-unsubscribe@perl.org
>For additional commands, e-mail: beginners-help@perl.org
>
>
>
>--
>To unsubscribe, e-mail: beginners-unsubscribe@perl.org
>For additional commands, e-mail: beginners-help@perl.org
--
-------------------------------
- Teresa Raymond -
- Mariposa Net -
- http://www.mariposanet.com -
-------------------------------
Thread Previous
|
Thread Next