Re: Serious Hole in Comment/Discussior CGI srcipt

[Ekke Vasli <ekke () CHAMBER EE>]

Alex Andrews wrote:

> 1) Remove the null character
>         $input =~ s/\0//g;
>
> 2) Remove all the standard metacharacters (which are
> &;`'\"|*?~<>^()[]{}$\n\r )
>         $input =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;

I think it's better (and not so ugly ;o) just to allow the variable to be of a
certain format..
be it
    $filename =~ /^\s+$/ or die("Crappy filename");
or
    $email =~ /^[[:alnum:]\.]@[([:alnum:]\.)+\s+]$/ or die("Uh-Oh");
Ok, the email check syntax might be even a bit more complicated but...

Just the question of policy.. to allow all but some characters or to allow
just a certain format of a variable..

-ekke