Forcing Alphanumeric Text Entry

S

sekdab

Hello all.

Disclaimer, I am a Perl newbie. Though I know a good deal of shell,
and some PHP, Perl is, otherwise, new territory for me.

I've gone ahead and loaded the CGI.pm module and, as a test, am
creating a small password change screen. Everything was fine and I
had the page up and running in no time. I did this to focus a bit on
security, and was wondering what the best way would be to force limit
the characters entered to alphanumeric.

I.e. I want to prevent someone from using "tom ; cat /etc/passwd" as a
password because this data is being passed to a shell.

I've just started readingp on regular expressions and can probably
figure out a convoluted way to do this; just wanted some hints as to
how others have done this in the past.

Thanks for the help.
Tom
 
J

James E Keenan

A. Sinan Unur said:
in general, the way you would test for alphanumericness would be
something like:
if ($input =~ /^[A-Za-z0-0]+$/) {
^ ^
^ ^
A typo there: [0-0] in place of [0-9]?

Wouldn't it be better to use /^\w+$/ ?
I responded on the assumption that OP wanted strictly alphanumeric
characters. Perl's \w adds
'_' to the character class [A-Za-z0-9]. If '_' is permissible input for his
problem, then it -- and no other punctuation characters -- can indeed be
allowed with \w
 
S

Steve

Hi Tom,

I'm still kind of new to this, but have been reading up on the topic.
For security, you want to first investigate using the -T taint switch:

#!/usr/bin/perl -Tw

This now makes the script die if unsafe data (input from outside of
the script) is used in a dangerous way.

Then, to untaint the data, you need to use backreferences (I think
this is what it is called):

if ($key =~ /^([-_\w\s]+)$/) {
$key = $1
} else {
bad_data ($bad_string)
}

basically, in a regex, something surrounded in a parans () is placed
into the varible $1, so /^([-_\w\s]+)$/ will only allow alphanumeric
input, the space and the dash or underscore. If this is correct, the
input is placed into $1 and then you untaint the varible:

$key = $1
 
S

Steve

whoops...make that:

if ($key =~ /^([-_\w\s]+)$/) {
$key = $1
} else {
bad_data ($key)
}

I'm rewriting that, so had $string as input to my function bad_data
instead of $key ;-)
 
S

sekdab

Wow!

Thanks for the responses, this is exactly what I need and corresponds
to what I've been reading up on regex. I am loving this language :).
I'll start using the taint option as well; have been using -w and use
strict.

Thanks again,
Tom

James E Keenan said:
Steve said:
Hi Tom,

I'm still kind of new to this, but have been reading up on the topic.
For security, you want to first investigate using the -T taint switch:

#!/usr/bin/perl -Tw

This now makes the script die if unsafe data (input from outside of
the script) is used in a dangerous way.

Then, to untaint the data, you need to use backreferences (I think
this is what it is called):

if ($key =~ /^([-_\w\s]+)$/) {
$key = $1
} else { bad_data ($bad_string)
}
Right code; wrong terminology. $1 is a 'match variable': it captures what
was matched in the 1st pair of parentheses and stores it in a variable. A
backreference (written \1 \2 \3 and so on) is a way of re-using a match
within the same regular expression pattern.

my $string = 'aaabacabad';
# my $string = 'aaabacad';
if ($string =~ /(ab).*\1/) {
print "Pattern matched in $string\n";
my $cap = $1;
print "$cap was captured\n";
} else {
print "Out of luck, buddy\n";
}
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top