WebApp Sec: Re: How to handle "special characters"

From: Devdas Bhagat <devdas_at_dvb.homelinux.org>
Date: Sun, 21 Dec 2003 14:59:37 +0530

On 13/12/03 13:57 -0800, T.J. wrote:
> When using perl I almost always use something like...
#!/usr/bin/perl -T

use strict;
use warnings;

> $data = <STDIN>; # Or rather, from the query string or post request, etc
> $data =~ s/\W//g; # Strips any non alphanumeric character
What if we are dealing with passwords? Or a field where a non
aplhanumeric character is valid?
Use the \Q and qq operators instead.
If you are dealing with CGI scripts, use the CGI module. Don't reinvent
the wheel.

> # Optionally if the buffer length is a concern: $Ldata = length($data);
> if($LData > 100) { die print "Whatever.\n"}

> $dbh stuff for the SQL query here using $data as the input.
Use placeholders when dealing with DBI.

> I'm not very fluent in php or asp but I'm sure they have something similar
> to the s/// comand, right?
PHP has PCRE at least.

Devdas Bhagat
Received on Dec 21 2003