[ic] Nifty enhancement to [query ...]
Jon Jensen
interchange-users@interchange.redhat.com
Tue Jan 15 17:43:00 2002
On Tue, 15 Jan 2002, Peter Jakl wrote:
> open(KWCH, "$cmd |");
[snip]
> [perl]
> $n = 0;
> $Scratch->{command} = "grep -fsku:description:price ";
> for $kw (split(/\s+/, $CGI->{keywords}) {
> $n++;
> $Scratch->{command} .= "| grep " if $n > 1;
> $Scratch->{command} .= " \"$kw\" ";
> $Scratch->{command} .= "products/kwdata.txt " if $n == 1;
> }
> $Scratch->{command} .= "| cut -f1,3,4";
> return "";
> [/perl]
> [query st=db list=1 more=1 ml=20 sql="[scratch command]"]
Watch out when you take raw CGI input and pass that to the shell! The
safest thing to do would be:
$CGI->{keywords} =~ s/[^\s\w.-#%]//g;
Get rid of all characters except letters, numbers, spaces (which you split
on), and a few safe symbols. (Get rid of those too if you don't need to
search on them.)
Otherwise someone will eventually figure out how to execute arbitrary
commands on your system.
Jon