input validation

[Alexandre Jaquet]

Hi,

I've a trouble when I parse web page input, I want to accept only
alphanumeric char (with accent) and ignore it when the datas is equal
is to "Toutes les catégories"

I do the following :

local our $category = $query->param("categories");
$category =~ s/[^\w]//g;

local our $test = $SERVER{'all_categories'};
if ($category ne $test) {
$add .= " AND ref_categorie = id_categorie AND categorie_$lang.nom =
'$category'";
$from .= "article, categorie_$lang,statut_$lang";
}else {
$add .= "AND article.ref_statut = id_statut AND ref_statut = '3' AND
ref_categorie = id_categorie ";
$from .= "article,statut_$lang,categorie_$lang"
}
but I the following part "$add .= " AND ref_categorie = id_categorie AND
categorie_$lang.nom = " is still executed

any help

many thanks

 

[Paul Lalli]

I've a trouble when I parse web page input, I want to accept only
alphanumeric char (with accent) and ignore it when the datas is equal
is to "Toutes les catégories"

I do the following :

local our $category = $query->param("categories");
$category =~ s/[^\w]//g;

You know that [^\w] is more quickly written as \W, right?

local our $test = $SERVER{'all_categories'};
if ($category ne $test) {
$add .= " AND ref_categorie = id_categorie AND categorie_$lang.nom =
'$category'";
$from .= "article, categorie_$lang,statut_$lang";
}else {
$add .= "AND article.ref_statut = id_statut AND ref_statut = '3' AND
ref_categorie = id_categorie ";
$from .= "article,statut_$lang,categorie_$lang"
}
but I the following part "$add .= " AND ref_categorie = id_categorie AND
categorie_$lang.nom = " is still executed

.... and? Is that not what you want? You haven't shown us what *any*
of these variables are. How are we supposed to know how or why this
isn't the "correct" behavior?

Please, include some debugging statements that show us the values of
$category before the s///, $category after the s///, and $test. Then
post the results of that debugging as a followup.

Paul Lalli