This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Return-Path: dbi-users-bounce@isc.org Delivery-Date: Wed Sep 20 11:38:11 2000 Return-Path: <dbi-users-bounce@isc.org> Received: from pub3.rc.vix.com (pub3.rc.vix.com [204.152.186.34]) by kzsu.stanford.edu (8.9.3/8.9.3) with ESMTP id LAA59912 for <doom@kzsu.stanford.edu>; Wed, 20 Sep 2000 11:38:10 -0700 (PDT) (envelope-from dbi-users-bounce@isc.org) Received: from pub3.rc.vix.com (pub3.rc.vix.com [204.152.186.34]) by pub3.rc.vix.com (Postfix) with ESMTP id 6967A3E9B; Wed, 20 Sep 2000 11:37:54 -0700 (PDT) Received: with LISTAR (v1.0.0; list dbi-users); Wed, 20 Sep 2000 11:35:05 -0700 (PDT) Received: from isrv3.isc.org (isrv3.isc.org [204.152.184.87]) by pub3.rc.vix.com (Postfix) with ESMTP id 07A203E14 for <dbi-users@pub3.rc.vix.com>; Wed, 20 Sep 2000 11:35:00 -0700 (PDT) Received: from kzsu.stanford.edu (KZSU.Stanford.EDU [171.66.118.90]) by isrv3.isc.org (8.9.1/8.9.1) via ESMTP id LAA03953 for <dbi-users@isc.org>; Wed, 20 Sep 2000 11:34:59 -0700 (PDT) env-from (doom@kzsu.stanford.edu) Received: from kzsu.stanford.edu (localhost [127.0.0.1]) by kzsu.stanford.edu (8.9.3/8.9.3) with ESMTP id LAA59531 for <dbi-users@isc.org>; Wed, 20 Sep 2000 11:34:58 -0700 (PDT) (envelope-from doom@kzsu.stanford.edu) Message-Id: <200009201834.LAA59531@kzsu.stanford.edu> To: dbi-users@isc.org Subject: Untainting regexps for dbi Date: Wed, 20 Sep 2000 11:34:57 -0700 From: Joe Brenner <doom@kzsu.stanford.edu> Sender: dbi-users-bounce@isc.org Errors-To: dbi-users-bounce@isc.org X-original-sender: doom@kzsu.stanford.edu Precedence: bulk List-unsubscribe: <mailto:dbi-users-request@isc.org?Subject=unsubscribe> X-List-ID: <dbi-users.isc.org> List-owner: <mailto:dbi-users-admins@isc.org> List-post: <mailto:dbi-users@isc.org> With a typical CGI script, you've got some submitted data that you want to put into your database, but of course, if you're using taint mode, perl will complain about every commit, unless you've untainted the data first. And you do that by using a regexp to extract what you want to put in your database. My main question is: What kind of patterns would be recommended to do the untainting? As far as I know, this information isn't being passed through the shell, so is there any reason to worry about shell metacharacters? Are there any characters that are dangerous to put in your database? I realize that the recommended untainting philosophy is to look for what you want rather than to try and screen out what you don't want, but it seems to me that there are many cases where you'd really rather avoid limiting the system unless there's a good reason to do so. And by the way, I also might complain about the error messages that you get from DBI when you try and commit untainted data. I see things like Can't bind unknown placeholder '2' Whenever one of these comes up I seem to run down the same blind alleys before I remember that you can't take that error too literally. Anyway, here's the version info for my system: DBI 1.13 DBD::Pg 0.91 perl 5.005_03 postgresql 6.5.3 Linux kernel 2.2.12-20 Redhat 6.1 ------------------------------------------------------------------------------ DBI HOME PAGE AND ARCHIVES: http://www.symbolstone.org/technology/perl/DBI/ To unsubscribe from this list, please visit: http://www.isc.org/dbi-lists.html If you are without web access, or if you are having trouble with the web page, please send mail to dbi-users-request@isc.org with the subject line of: 'unsubscribe'. ------------------------------------------------------------------------------