Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts

    sanitising form submission

    Hi,


    I am sanitising submitted data from a form but I need your help because I don't know if I am sufficiently securing it all.

    All non alpha-numeric characters should be encoded to their entity name or numeric value eg & # 163; [without spacing].
    And I want to make sure that any hex coding is translated to html entities too.

    so why will this not convert the $ and % characters?
    And is the rest of my script OK or is there a better way to do this?

    Code:
     
      my %form_results;
      my %vars = CGI->Vars;
    
      # loop through all sent params keys 
      while ( my ( $key, $value ) = each %vars ) { 
       
          #check against acceptable values.
          if ( !grep /$key/, @acceptable_keys ){
              exit;
          }
          $value = encode_entities($value);
          $value = encode_entities($value, '`¬?$%^&*');
    
          $form_results{$key}=$value;    
    	   
      }     
         
    	
      print Dumper \%form_results;
    bazz
    Last edited by bazz; 01-02-2011 at 08:13 PM.
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #2
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,877
    Thanks
    2
    Thanked 164 Times in 159 Posts
    Change: '`¬?$%^&*'
    To: '`¬?%$^&*'

    and you'll see part of the problem.

    Then lookup $% in perldoc perlvar.

    I don't have time right now to find out how to prevent encode_entities from interpolating. Adding \Q as you would in a regex doesn't seem to work in this case.

  • #3
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Thanks FishMonger. Interesting.

    if I use this line
    Code:
    $value = encode_entities($value, '`¬?%$^&*');
    Several alpha characters are encoded. Specifically uppercase, D O P S T U

    It sort of knackers my $action values such as Save, which triggers the Save sub.

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #4
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Just found a whole new series of security things to address.

    so I am currently using
    Code:
      use HTML::Entities;
      use Encode qw(decode);
      use URI::Escape qw(uri_unescape);
    
      $value = decode 'utf-8' => uri_unescape $value;
      $value = encode_entities($value);
      $value = encode_entities($value, '$`¬?%^&*');
    How does that seem?

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •