Randy W. Sims wrote:
JupiterHost.Net wrote:
Do what I'd like to be able to do is:
my ($find,$replacewith,$case) = $dbh->selectrow_array($query);
$string =~ s/$find/$replace/gi if $case; $string =~ s/$find/$replace/g if !$case;
Since a user could put whatever they want in the database what should I do to make that work so its safe?
If there are no metacharacters, you can use \Q to quote $find:
my $ci = $case ? '(?i)' : ''; $str =~ s/$ci\Q$find\E/-/g;
Thanks for the idea! One problem is they could put anything in there, metacharacters, a regex exploiting string, anything.
The above example turns all metacharacters to normal characters, making the expression safe. If you do want to allow metacharacters, you will
I do believe that will do me for now, I don't think they need to use meta characters, especially if it means being secure :)
have to scan the string looking for dangerous expressions. Dangerous expressions are those that allow arbitrary perl code to be executed. Those include: @{[...]}, ${\(...)}, (?{...}), (??{...}). Note that arbitrary spaces can appear within the first two, so you must allow for that. This list may change with future versions of perl so, is not reliable.
A better solution would be to allow only a subset of metacharacters, escaping everything else. This would requre much more effort, but would be safer. Perhaps there is a module that does something like this? If not, there should be.
I'm looking at the Regex:: modules but havn't seen anything yet (search for Regex:: on search.cpan.org and click on any link in the results, mine go now where???) , also perldoc perlre has some things about this but for now I think it'll do me :)
Thanks Randy
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
