Adam W am Mittwoch, 8. März 2006 00.49:
> Hans Meier (John Doe) wrote:
> > Adam W am Dienstag, 7. März 2006 23.16:
> >>Hans Meier (John Doe) wrote:
[...]
> > (this dies on empty lines etc. too, and of course the input file's lines
> > should be sanitizes before, and to be on the secure side, the
> > transformation script should do that too... but all that depends on the
> > exact circumstances you use the script)
>
> Sorry, I'm relatively new to programming in general (perl is my first
> programming language), so I'm not sure what you mean by "sanitizing."
Could also be "sanitising", saw both :-)
> Does this imply having the program correct any possible errors in the
> imput to be compliant with the way the program operates on the input?
Yes I think one could say so.
Sorry if the explanation is not good english:
Saniti(z|s)ing means to assure that all input from *outside* of the program
(file content, environment variables, user input from cmd line / webinterface
etc. etc) has the format that's being *expected*. Don't trust any data coming
from outside.
Missing input sanitizing is the main reason for security holes in software
applications (I think). (maybe you heard of XSS, buffer/integer/heap
overflows, HTTP-Response Splitting, Cookie Theft and other terms).
Simple example: A web based app that expects simple
text to present on a web page; but user inputs some javascript; if not
sanitised, the javascript is presented to the browser.
Another example: Many "Feedback-Form" scripts around sending mail are
horribly programmed and allow the sending of spam. I have experience with it
from my beginners time with an own script doing that... not fun... was
expensive. I would not recommend to place any beginners code on a publicly
accessible server without reviewing by others. Chances that it can be misused
are very big (in my opinion, as usual).
Here comes in the "Taint Mode" of perl (perldoc -q taint as a start) which
asserts that every data coming from outside is handled with a regexp; it
can't garantee that you do the right thing, but that you *do* at least
consider possible dangers.
I would recommend (from own bad experience) to start saniti.ing from the
beginning. It's important on any system more than one user has access. Get
used at it, as with toothcleaning and such.
[...]
> > Also no if $/ is set to something that reads more than one line.
> >
> > The $/ variable is very interesting for reading multiline records from a
> > file like conventional lines. Have a look at it!
>
> Thanks for mentioning the '$/' variable, which is probably what I was
> looking for but didn't know existed (yeah, I know, RTF...)!
Unfortunately at the beginning it is not easy to know what all exists. One
main purpose of manuals is to get information about something one knows
exists; but If you have time, read and read and read to get an idea what's
present; look at code; follow mailing lists; buy a perl book, there are
extraordinary well ones around (for example "Programming in Perl", "Perl
Cookbook", both from O'Reilly) - just keep in mind that most books present
concepts and not practically usable stuff; you seldomly see input sanita.ing
in the examples of such books.
> >>I eventually got around this problem by simply printing what I wanted
> >>after opening the file but before the while loop, and then printing
> >>again after the while loop had ended but before the next file is opened.
> >
> > Sorry, this is not clear to me (what's the purpose of the while in this
> > scenario?)
>
> The while is reading in a file, so it is in the while(<FILEHANDLE>)
> context. Here is the relevant (paraphrased) code:
>
> print OUT "<p>";
> while (defined($lines = <IN>)) {
> ...make the substitutions to the text...
> print OUT $lines;
> }
> print OUT "</p>";
>
>
> The p-tags are there because I want each list of links to be an HTML
> paragraph formatted according to my CSS definition of <p>. Nothing
> special.
Now it's clear; I thought you're talking about the transformation :-)
> > Nice way to post on this list; not the kind of "Oh, I spend 10 secs to
> > ask, there will be people spending 1/2 h to solve my problem".
>
> Thank you. Nothing helps a community more than communication.
True :-)
Hans
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
