WebApp Sec mailing list archives
Re: How to handle "special characters"
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sun, 21 Dec 2003 14:59:37 +0530
On 13/12/03 13:57 -0800, T.J. wrote:
When using perl I almost always use something like...
#!/usr/bin/perl -T use strict; use warnings;
$data = <STDIN>; # Or rather, from the query string or post request, etc $data =~ s/\W//g; # Strips any non alphanumeric character
What if we are dealing with passwords? Or a field where a non aplhanumeric character is valid? Use the \Q and qq operators instead. If you are dealing with CGI scripts, use the CGI module. Don't reinvent the wheel.
# Optionally if the buffer length is a concern: $Ldata = length($data);
if($LData > 100) { die print "Whatever.\n"}
$dbh stuff for the SQL query here using $data as the input.
Use placeholders when dealing with DBI.
I'm not very fluent in php or asp but I'm sure they have something similar to the s/// comand, right?
PHP has PCRE at least. Devdas Bhagat
Current thread:
- RE: How to handle "special characters", (continued)
- RE: How to handle "special characters" Brown, James F. (Dec 11)
- RE: How to handle "special characters" appsec (Dec 11)
- RE: How to handle "special characters" Sachin Hamirwasia (Dec 14)
- RE: How to handle "special characters" Ghita Serban (Dec 15)
- Re: RE: How to handle "special characters" .Saphyr (Dec 15)
- Re: How to handle "special characters" Tobias Mathes (Dec 15)
- RE: How to handle "special characters" Sachin Hamirwasia (Dec 14)
- RE: How to handle "special characters" Keifer, Trey (Dec 11)
- RE: How to handle "special characters" Ghita Serban (Dec 12)
- RE: How to handle "special characters" Tom Stowell (Dec 13)
- Re: How to handle "special characters" T.J. (Dec 13)
- Re: How to handle "special characters" Devdas Bhagat (Dec 21)
- Re: How to handle "special characters" T.J. (Dec 13)