Forcing Alphanumeric Text Entry

Discussion in 'Perl Misc' started by sekdab, Jul 18, 2003.

  1. sekdab

    sekdab Guest

    Hello all.

    Disclaimer, I am a Perl newbie. Though I know a good deal of shell,
    and some PHP, Perl is, otherwise, new territory for me.

    I've gone ahead and loaded the CGI.pm module and, as a test, am
    creating a small password change screen. Everything was fine and I
    had the page up and running in no time. I did this to focus a bit on
    security, and was wondering what the best way would be to force limit
    the characters entered to alphanumeric.

    I.e. I want to prevent someone from using "tom ; cat /etc/passwd" as a
    password because this data is being passed to a shell.

    I've just started readingp on regular expressions and can probably
    figure out a convoluted way to do this; just wanted some hints as to
    how others have done this in the past.

    Thanks for the help.
    Tom
    sekdab, Jul 18, 2003
    #1
    1. Advertising

  2. "parv" <> wrote in message
    news:...
    > in message <bf7kqo$>,
    > wrote James E Keenan ...
    >
    > > in general, the way you would test for alphanumericness would be
    > > something like:
    > > if ($input =~ /^[A-Za-z0-0]+$/) {

    > ^ ^
    > ^ ^
    > A typo there: [0-0] in place of [0-9]?


    Yes. Good catch.
    James E Keenan, Jul 18, 2003
    #2
    1. Advertising

  3. parv <> wrote in
    news::

    > in message <bf7kqo$>,
    > wrote James E Keenan ...
    >
    >> in general, the way you would test for alphanumericness would be
    >> something like:
    >> if ($input =~ /^[A-Za-z0-0]+$/) {

    > ^ ^
    > ^ ^
    > A typo there: [0-0] in place of [0-9]?


    Wouldn't it be better to use /^\w+$/ ?

    --
    A. Sinan Unur

    Remove dashes for address
    Spam bait: mailto:
    A. Sinan Unur, Jul 18, 2003
    #3
  4. "A. Sinan Unur" <> wrote in message
    news:Xns93BBE599CDDBCasu1cornelledu@132.236.56.8...
    > parv <> wrote in
    > news::
    >
    > > in message <bf7kqo$>,
    > > wrote James E Keenan ...
    > >
    > >> in general, the way you would test for alphanumericness would be
    > >> something like:
    > >> if ($input =~ /^[A-Za-z0-0]+$/) {

    > > ^ ^
    > > ^ ^
    > > A typo there: [0-0] in place of [0-9]?

    >
    > Wouldn't it be better to use /^\w+$/ ?
    >

    I responded on the assumption that OP wanted strictly alphanumeric
    characters. Perl's \w adds
    '_' to the character class [A-Za-z0-9]. If '_' is permissible input for his
    problem, then it -- and no other punctuation characters -- can indeed be
    allowed with \w
    James E Keenan, Jul 18, 2003
    #4
  5. sekdab

    Steve Guest

    Hi Tom,

    I'm still kind of new to this, but have been reading up on the topic.
    For security, you want to first investigate using the -T taint switch:

    #!/usr/bin/perl -Tw

    This now makes the script die if unsafe data (input from outside of
    the script) is used in a dangerous way.

    Then, to untaint the data, you need to use backreferences (I think
    this is what it is called):

    if ($key =~ /^([-_\w\s]+)$/) {
    $key = $1
    } else {
    bad_data ($bad_string)
    }

    basically, in a regex, something surrounded in a parans () is placed
    into the varible $1, so /^([-_\w\s]+)$/ will only allow alphanumeric
    input, the space and the dash or underscore. If this is correct, the
    input is placed into $1 and then you untaint the varible:

    $key = $1

    On 17 Jul 2003 18:42:18 -0700, (sekdab) wrote:

    >Hello all.
    >
    >Disclaimer, I am a Perl newbie. Though I know a good deal of shell,
    >and some PHP, Perl is, otherwise, new territory for me.
    >
    >I've gone ahead and loaded the CGI.pm module and, as a test, am
    >creating a small password change screen. Everything was fine and I
    >had the page up and running in no time. I did this to focus a bit on
    >security, and was wondering what the best way would be to force limit
    >the characters entered to alphanumeric.
    >
    >I.e. I want to prevent someone from using "tom ; cat /etc/passwd" as a
    >password because this data is being passed to a shell.
    >
    >I've just started readingp on regular expressions and can probably
    >figure out a convoluted way to do this; just wanted some hints as to
    >how others have done this in the past.
    >
    >Thanks for the help.
    >Tom
    Steve, Jul 18, 2003
    #5
  6. sekdab

    Steve Guest

    On Thu, 17 Jul 2003 22:38:13 -0700, Steve <> wrote:

    whoops...make that:

    if ($key =~ /^([-_\w\s]+)$/) {
    $key = $1
    } else {
    bad_data ($key)
    }

    I'm rewriting that, so had $string as input to my function bad_data
    instead of $key ;-)
    Steve, Jul 18, 2003
    #6
  7. sekdab

    sekdab Guest

    Wow!

    Thanks for the responses, this is exactly what I need and corresponds
    to what I've been reading up on regex. I am loving this language :).
    I'll start using the taint option as well; have been using -w and use
    strict.

    Thanks again,
    Tom

    "James E Keenan" <> wrote in message news:<bf7ncb$>...
    > "Steve" <> wrote in message
    > news:...
    > > Hi Tom,
    > >
    > > I'm still kind of new to this, but have been reading up on the topic.
    > > For security, you want to first investigate using the -T taint switch:
    > >
    > > #!/usr/bin/perl -Tw
    > >
    > > This now makes the script die if unsafe data (input from outside of
    > > the script) is used in a dangerous way.
    > >
    > > Then, to untaint the data, you need to use backreferences (I think
    > > this is what it is called):
    > >
    > > if ($key =~ /^([-_\w\s]+)$/) {
    > > $key = $1
    > > } else {

    > bad_data ($bad_string)
    > > }
    > >

    > Right code; wrong terminology. $1 is a 'match variable': it captures what
    > was matched in the 1st pair of parentheses and stores it in a variable. A
    > backreference (written \1 \2 \3 and so on) is a way of re-using a match
    > within the same regular expression pattern.
    >
    > my $string = 'aaabacabad';
    > # my $string = 'aaabacad';
    > if ($string =~ /(ab).*\1/) {
    > print "Pattern matched in $string\n";
    > my $cap = $1;
    > print "$cap was captured\n";
    > } else {
    > print "Out of luck, buddy\n";
    > }
    sekdab, Jul 18, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. VB Programmer

    Check if var is alphanumeric?

    VB Programmer, Nov 16, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    575
    bruce barker
    Nov 16, 2004
  2. AtomicBob
    Replies:
    14
    Views:
    872
    Toby Inkster
    May 2, 2006
  3. Mike Owen

    Allowing entry of a Carriage Return during data entry

    Mike Owen, Jul 27, 2006, in forum: ASP .Net Web Controls
    Replies:
    3
    Views:
    696
    Alessandro Zifiglio
    Jul 27, 2006
  4. Abir B.
    Replies:
    0
    Views:
    236
    Abir B.
    Jul 23, 2009
  5. Noozer
    Replies:
    2
    Views:
    251
    Dr John Stockton
    Aug 1, 2005
Loading...

Share This Page