RE: Efficient Untaint? - Thanks.

2004-07-17 Thread Jeff 'japhy' Pinyan 
On Jul 17, Kent, Mr. John (Contractor) said:

>>As for your code:
>>
>>>   my($MOSAIC_SCALE)= $query->param('MOSAIC_SCALE')|| "20";
>>>{$MOSAIC_SCALE =~ /(\d+)/;
>>> $MOSAIC_SCALE = $1;
>>
>>You should *never* use $DIGIT variables after a regex unless you're sure
>>the regex *matched*.
>
>(In some cases I know the values will be digits).

I disagree.  You can never be sure what *user* input to your application
will be.  Maybe it *should* be digits, but I can get around whatever
JavaScript or other client-side form-field validation you supply.

But it's not a taint-specific issue.  *NEVER* use the $1, $2, etc.
variables unless you are *SURE* the regex matches.  How can you be sure?
Use an if statement:

  if ($str =~ /regex/) {
# use $1, $2, etc.
  }

-- 
Jeff "japhy" Pinyan %  How can we ever be the sold short or
RPI Acacia Brother #734 %  the cheated, we who for every service
http://japhy.perlmonk.org/  %  have long ago been overpaid?
http://www.perlmonks.org/   %-- Meister Eckhart


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Efficient Untaint? Thanks2

2004-07-17 Thread Kent, Mr. John \(Contractor\) 
Gunnar,

Thank you.  Excellent suggestion.
Undoubtedly I've gota lota unnecessary
untaintin' goin' on!

Thanks,
John Kent

-Original Message-
From: Gunnar Hjalmarsson [mailto:[EMAIL PROTECTED]
Sent: Saturday, July 17, 2004 11:37 AM
To: [EMAIL PROTECTED]
Subject: Re: Efficient Untaint?


Mr. John Kent wrote:
> Is there a more efficient/better way to untaint variables
> pulled from a cgi query object?
> 
> Here is an example of what I am currently doing:
> 
> #!/usr/bin/perl -wT
> use strict;
> use CGI;
> my($query) = new CGI;
> 
> # I then have 30  untaint checks like this before I start
> # coding.

Do all the 30 parameters need to be validated in the form of 
untainting? For params that will not be used directly in system 
operations, you may want to consider something simpler.

Personally I like to populate a hash with the CGI input, and assuming 
that has been done, and that you don't need to reassign the parameters 
in the CGI object, you could for instance do:

 $in{MOSAIC_SCALE} =~ /^\d+$/ or $in{MOSAIC_SCALE} = 20;

or even just:

 $in{MOSAIC_SCALE} ||= 20;

For params that need untainting, I like Jeff's suggestion.

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 



--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Efficient Untaint? - Thanks.

2004-07-17 Thread Kent, Mr. John \(Contractor\) 
Thank you Jeff,

Very nice.

I will give it a try.
(In some cases I know the values will be digits).

John Kent

-Original Message-
From: Jeff 'japhy' Pinyan [mailto:[EMAIL PROTECTED]
Sent: Saturday, July 17, 2004 10:34 AM
To: Kent, Mr. John (Contractor)
Cc: [EMAIL PROTECTED]
Subject: Re: Efficient Untaint?


On Jul 17, Kent, Mr. John (Contractor) said:

>Is there a more efficient/better way to untaint variables
>pulled from a cgi query object?

I'd make an untaint function that took the param() name, a regex to use,
and a default value to use.

  sub untaint {
my ($name, $rx, $default) = @_;
my $ok = $query->param($name) =~ $rx ? $1 : $default;
$query->param($name, $ok);
  }

You use it like so:

  my $MOSIAC_SCALE = untaint('MOSIAC_SCALE', qr/(\d+)/, 20);
  # etc.

As for your code:

>   my($MOSAIC_SCALE)= $query->param('MOSAIC_SCALE')|| "20";
>{$MOSAIC_SCALE =~ /(\d+)/;
> $MOSAIC_SCALE = $1;

You should *never* use $DIGIT variables after a regex unless you're sure
the regex *matched*.

-- 
Jeff "japhy" Pinyan %  How can we ever be the sold short or
RPI Acacia Brother #734 %  the cheated, we who for every service
http://japhy.perlmonk.org/  %  have long ago been overpaid?
http://www.perlmonks.org/   %-- Meister Eckhart


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: 1 Windows XP + 1 Office XP = $80 d dhhytzy vs dxq

2004-07-17 Thread Tim Johnson 
I guess his name says it all...

-Original Message- 
From: Carl Colon [mailto:[EMAIL PROTECTED] 
Sent: Wed 7/21/2004 1:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: 1 Windows XP + 1 Office XP = $80 d dhhytzy vs dxq



Loads of cool soft at incredibly low prices
Windows XP Professional + Office XP Professional for as low as $80
Order here:




The stock is limited
The offer is valid till next 24 hours
Hurry!



.r yw  xygpylwa afroximrkuakvdtlxcl
egtcldmt
r
aajbxq ihquemuyh qqpb

RE: Windows Perl Environment

2004-07-17 Thread Tim Johnson 
If you're ready to pay money for it, then there's Visual Perl from ActiveState (VS 
plug-in, works great), Komodo from ActiveState, PerlBuilder from SolutionSoft that 
have built-in debuggers.  The Visual Debugger that comes with the Perl Dev Kit from 
ActiveState is also pretty good.

-Original Message- 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Sat 7/17/2004 2:44 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Windows Perl Environment



Is there any program that allows one to write Perl scripts and and then test
them in a windows environment without using a DOS window, and actually have me
see the program run before I upload it to a server, rather than just testing
if the script runs without errors? Anyone know what I mean and know of any
such program?

Re: Efficient Untaint?

2004-07-17 Thread Gunnar Hjalmarsson 
Mr. John Kent wrote:
Is there a more efficient/better way to untaint variables
pulled from a cgi query object?
Here is an example of what I am currently doing:
#!/usr/bin/perl -wT
use strict;
use CGI;
my($query) = new CGI;
# I then have 30  untaint checks like this before I start
# coding.
Do all the 30 parameters need to be validated in the form of 
untainting? For params that will not be used directly in system 
operations, you may want to consider something simpler.

Personally I like to populate a hash with the CGI input, and assuming 
that has been done, and that you don't need to reassign the parameters 
in the CGI object, you could for instance do:

$in{MOSAIC_SCALE} =~ /^\d+$/ or $in{MOSAIC_SCALE} = 20;
or even just:
$in{MOSAIC_SCALE} ||= 20;
For params that need untainting, I like Jeff's suggestion.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Efficient Untaint?

2004-07-17 Thread Jeff 'japhy' Pinyan 
On Jul 17, Kent, Mr. John (Contractor) said:

>Is there a more efficient/better way to untaint variables
>pulled from a cgi query object?

I'd make an untaint function that took the param() name, a regex to use,
and a default value to use.

  sub untaint {
my ($name, $rx, $default) = @_;
my $ok = $query->param($name) =~ $rx ? $1 : $default;
$query->param($name, $ok);
  }

You use it like so:

  my $MOSIAC_SCALE = untaint('MOSIAC_SCALE', qr/(\d+)/, 20);
  # etc.

As for your code:

>   my($MOSAIC_SCALE)= $query->param('MOSAIC_SCALE')|| "20";
>{$MOSAIC_SCALE =~ /(\d+)/;
> $MOSAIC_SCALE = $1;

You should *never* use $DIGIT variables after a regex unless you're sure
the regex *matched*.

-- 
Jeff "japhy" Pinyan %  How can we ever be the sold short or
RPI Acacia Brother #734 %  the cheated, we who for every service
http://japhy.perlmonk.org/  %  have long ago been overpaid?
http://www.perlmonks.org/   %-- Meister Eckhart


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Efficient Untaint?

2004-07-17 Thread Kent, Mr. John \(Contractor\) 
Greetings,

Is there a more efficient/better way to untaint variables
pulled from a cgi query object?

Here is an example of what I am currently doing:

#!/usr/bin/perl -wT
use strict;
use CGI;
my($query) = new CGI;

# I then have 30  untaint checks like this before I start
# coding.

   my($MOSAIC_SCALE)= $query->param('MOSAIC_SCALE')|| "20";
{$MOSAIC_SCALE =~ /(\d+)/;
 $MOSAIC_SCALE = $1;
 $query->param('MOSAIC_SCALE',$MOSAIC_SCALE);
}
my($SIZE)= $query->param('SIZE')|| 
$Tc_Config::DEFAULT_SIZE;
{$SIZE =~ /([\w\-\_]+)/;
 $SIZE = $1;
 $query->param('SIZE',$SIZE);
}

my($MOST_RECENT) = $query->param('MOST_RECENT') || ();
{$MOST_RECENT =~ /([\w\.\-\_]+)/;
 $MOST_RECENT = $1;
 $query->param('MOST_RECENT',$MOST_RECENT);
}

my($MOVIE_SIZE)  = $query->param('MOVIE_SIZE')  || "MEDIUM";
{$MOVIE_SIZE =~ /([\w\-\_]+)/;
 $MOVIE_SIZE = $1;
 $query->param('MOVIE_SIZE',$MOVIE_SIZE);
}


my($STYLE)   = $query->param('STYLE')   || "frames";
{$STYLE =~ /([\w\-\_]+)/;
 $STYLE = $1;
 $query->param('STYLE',$STYLE);
}

Thank you,

John Kent


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Order of evaluation

2004-07-17 Thread Jeff 'japhy' Pinyan 
On Jul 16, David Arnold said:

>my @[EMAIL PROTECTED](WORD GAMENO)};
>
>How does the order of evaluation go here in order to populate @ary?

That is a hash slice on the hash reference in $state.

The @{...} is signaling we expect to get more than one value back, and the
{qw(WORD GAMENO)} is a hash access.  @{$state}{qw(WORD GAMENO)}
dereferences $state, and returns the values for the keys WORD and GAMENO.

-- 
Jeff "japhy" Pinyan %  How can we ever be the sold short or
RPI Acacia Brother #734 %  the cheated, we who for every service
http://japhy.perlmonk.org/  %  have long ago been overpaid?
http://www.perlmonks.org/   %-- Meister Eckhart


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Pattern Matching records from a table query.

2004-07-17 Thread Adam 
Jason,

> I want to eliminate the ". " (periord) or "," (comma) from records that I
> return from a query, but I cannot figure out how to approach it. Does Perl
> have a way that I can match a string that from an array, remove a character or
> characters?

Yes. You could use a regular expression s/\.// (#UN-TESTED) should do the
trick.

> For example say I have array @records that contain the following:
>  
> Myrecord1   Myrecord2Myrecord3Myrecord4Myrecord5, inc. Myrecord6,
> LP Myrecord7, LLC

Simply because it urks me. You do understand the array @records should
really have MyField1, MyField2, MyField3, MyField4, 

> I want to send this query out to persons in a .csv file but the join(",",
> @record) statement that I am using causes the and extra cell to be created at
> Myrecord5, inc. Myrecord6, LP Myrecord7, LLC.

Then tab delimit it or even better pipe delimit the file.

#UN-TESTED
print join('|', @record);

> What I am thinking is to scan records $record[4, 5, 6] by using regex
> matching, and if a comma exists, delete it or replace it with ";" . I am
> looking for some commands to do this, or at least point me in the right
> direction. Any suggestions?

Yea, use a pipe delimited file.

Regards,
Adam



-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Order of evaluation

2004-07-17 Thread Paul Johnson 
On Fri, Jul 16, 2004 at 08:08:48PM -0700, David Arnold wrote:

> At 09:52 PM 7/16/04 -0500, Charles K. Clarkson wrote:
> >David Arnold <[EMAIL PROTECTED]> wrote:
> >
> >: If I have:
> >: 
> >: my $state={};
> >: $state->{WORD}='affection';
> >: $state->{GAMENO}=3;
> >: $state->{GUESSES}=3;
> >: 
> >: Then, the following line puzzles me:
> >: 
> >: my @[EMAIL PROTECTED](WORD GAMENO)};
> >: 
> >: How does the order of evaluation go here in order to
> >: populate @ary?
> >
> >Why not just print @ary and find out for yourself?
>
> Charles et al,
> 
> Certainly good advice, and I did print it out, so I do know what happens.
> 
> %perl junk.pl
> affection3
> Compilation finished at Fri Jul 16 20:02:43
> 
> It's just that I don't know why this happens.

What you have is a hash slice.  It is the same as

  my @ary = ($state->{WORD}, $state->{GAMENO});

Run perldoc perldata to read more about them.

-- 
Paul Johnson - [EMAIL PROTECTED]
http://www.pjcj.net

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Windows Perl Environment

2004-07-17 Thread Gunnar Hjalmarsson 
[EMAIL PROTECTED] wrote:
Is there any program that allows one to write Perl scripts and and
then test them in a windows environment without using a DOS window,
and actually have me see the program run before I upload it to a
server, rather than just testing if the script runs without errors?
Anyone know what I mean and know of any such program?
I guess you are talking about running CGI scripts (written in Perl)
locally on your Windows PC. To do so, you need a web server, e.g. Apache.
I warmly recommend the IndigoPerl package:
http://www.indigostar.com/indigoperl.htm
It gives you Perl and a pre-configured Apache server with e.g.
mod_perl (even PHP), and it's *very* easy to install.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Windows Perl Environment

2004-07-17 Thread David Dorward 
On Sat, 2004-07-17 at 10:44, [EMAIL PROTECTED] wrote:
> Is there any program that allows one to write Perl scripts and and then test 
> them in a windows environment without using a DOS window,

ActivePerl and the WindowsXP cmd program. No DOS there.

What is wrong with command lines anyway?

>  and actually have me 
> see the program run before I upload it to a server, rather than just testing 
> if the script runs without errors? Anyone know what I mean and know of any 
> such program?

Do you mean a debugger which allows line by line execution? Perl has one
built in, I'd be surprised if ActivePerl removed it.

http://www.linuxjournal.com/article.php?sid=2484


-- 
David Dorward      


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Windows Perl Environment

2004-07-17 Thread Jimstone77 
Is there any program that allows one to write Perl scripts and and then test 
them in a windows environment without using a DOS window, and actually have me 
see the program run before I upload it to a server, rather than just testing 
if the script runs without errors? Anyone know what I mean and know of any 
such program?

Re: questions about heredocs

2004-07-17 Thread Gunnar Hjalmarsson 
Gohaku wrote:
1.)  What's up with the semicolon at the end of the first
delimiter?  I find that confusing.
If you prefer, you can put the semicolon after the terminator in Perl
as well, as long as you don't put it at the same line as the
terminating string. By doing so, it's easier to preserve indenting:
my $html ="\n";
$html .= <
heredoc demo

HTML
;
print $html;
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]