[ic] Nifty enhancement to [query ...]

Jason Kohles interchange-users@interchange.redhat.com
Wed Jan 16 09:41:01 2002


On Tue, Jan 15, 2002 at 05:42:25PM -0500, Jon Jensen wrote:
> On Tue, 15 Jan 2002, Peter Jakl wrote:
> 
> >     open(KWCH, "$cmd |");
> 
> Watch out when you take raw CGI input and pass that to the shell! The
> safest thing to do would be:
> 
> $CGI->{keywords} =~ s/[^\s\w.-#%]//g;
> 
> Get rid of all characters except letters, numbers, spaces (which you split
> on), and a few safe symbols. (Get rid of those too if you don't need to
> search on them.)
> 
Of course you should also escape the period in this regexp, or else you will
end up only getting rid of newlines.  =)

And just to be safe you should escape the dash, to ensure that perl doesn't
find a way to turn it into a range, either that or make sure it's the first
character in the group.

$CGI->{keywords} =~ s/[^\s\w\.\-#%]//g;

-- 
Jason Kohles                                 jkohles@redhat.com
Senior System Architect                      (703)786-8036 (cellular)
Red Hat Professional Consulting              (703)456-2940 (office)