[ic] Nifty enhancement to [query ...]

[Jon Jensen]

On Tue, 15 Jan 2002, Peter Jakl wrote:

>     open(KWCH, "$cmd |");

[snip]

> [perl]
> $n = 0;
> $Scratch->{command} = "grep -fsku:description:price ";
> for $kw (split(/\s+/, $CGI->{keywords}) {
> 	$n++;
> 	$Scratch->{command} .= "| grep " if $n > 1;
> 	$Scratch->{command} .= " \"$kw\" ";
> 	$Scratch->{command} .= "products/kwdata.txt " if $n == 1;
> }
> $Scratch->{command} .= "| cut -f1,3,4";
> return "";
> [/perl]
> [query st=db list=1 more=1 ml=20 sql="[scratch command]"]

Watch out when you take raw CGI input and pass that to the shell! The
safest thing to do would be:

$CGI->{keywords} =~ s/[^\s\w.-#%]//g;

Get rid of all characters except letters, numbers, spaces (which you split
on), and a few safe symbols. (Get rid of those too if you don't need to
search on them.)

Otherwise someone will eventually figure out how to execute arbitrary
commands on your system.

Jon