Pages

8/01/2002

Web Design::Perl::Input Validation


Writing secure forms & scripts. Prevent your script from getting hacked!
ASPN : Rx Cookbook : Removing dangerous characters from CGI forms
From: http://aspn.activestate.com/ASPN/Cookbook/Rx/Recipe/65124
When you write a CGI script, you should be conscious of the content of any user-supplied data your script processes. Malicious users can insert special control characters into form data to cause various nasty things to happen inside your server.

One simple way to "sanitize" user data is to filter out any characters in the data which are not within a set of allowed characters, as this example shows.
#!/usr/local/bin/perl
$_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
print "$user_data\n";
$OK_CHARS='-a-zA-Z0-9_.@'; # A restrictive list, which
# should be modified to match
# an appropriate RFC, for example.
s/[^$OK_CHARS]/_/go;
$user_data = $_;
print "$user_data\n";
exit(0);

This example came from CERT® Coordination Center at Carnegie Mellon
University (http://www.cert.org/tech_tips/cgi_metacharacters.html).

No comments: