homepage Welcome to WebmasterWorld Guest from 54.205.59.78
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
Forum Library, Charter, Moderators: coopster & jatar k & phranque

Perl Server Side CGI Scripting Forum

    
Perl Security related Filter - Lines
I have a problem
Auctioneer




msg:3745902
 8:38 pm on Sep 16, 2008 (gmt 0)

I use Perl Script Source to create Online Auction Scripts. But, after looking for a long time, one of the very last Secrets (to me) are some lines security related Script Lines like the ones below:

$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;
$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;
$form{'TITLE'} =~ s/<!(?:--[\s\S]*?--\s*)?>\s*//g;
$form{'TITLE'} =~ s/[\~\^]//g;
$form{'TITLE'} =~ s/~!/ ~!/g;
$form{'TITLE'} =~ s/<*(javascript)[^>]+>//gi;
$form{'TITLE'} =~ s/(<[\s\/]*)(script\b[^>]*>)/$1x$2/gi;
$form{'TITLE'} =~ s/<*(iframe)[^>]+>//gi;
$form{'TITLE'} =~ s/<*(script)[^>]+>//gi;

I know what they (are supposed to) do, and I know what the meaning of some lines, like the ones here, is:
--
$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;

something like:

if a=< them save this as &lt;
if a=> then save this &gt;
--
but I never found a Webpage anywhere explaining in detail everyone of all those "s/[\"\'\}\{\)\(\+]//g;---e.t.c." exact functions.

I care very much about security, and if I find some place where I can learn more about this, I would be very happy. I am a Swiss, so, my script-technical english is rather limited. This may make it a little harder to really understand everything written on the Web, especially when it comes to zbderstanding lines like: s/<!(?:--[\s\S]*?--\s*)?>\s*//g;

Thank you very much for your help.

Ernie

[edited by: phranque at 11:25 pm (utc) on Sep. 19, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

 

perl_diver




msg:3745970
 11:25 pm on Sep 16, 2008 (gmt 0)

What you need to know in order to understand those lines, is to read about regular expressions. There are no tutorials that are going to explain exactly what those particular regexps do. You need to know what all the symbols inside the regexps mean in order to understand what exactly they are doing. Some of them are not well written, like this one:

$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;

there is no need for all the backslashes:

$form{'TITLE'} =~ s/["'}{)(+]//g;

what it does is removes all the characters inside the square brackets [] from $form{'TITLE'}. Its better written like so:

$form{'TITLE'} =~ tr/"'}{)(+//d;

When it comes to just removing some characters from a string tr/// is very efficient.

rocknbil




msg:3746434
 4:10 pm on Sep 17, 2008 (gmt 0)

Perl Regular Expressions [search.cpan.org]. Stuff still drives me nuts sometimes. :-)

Auctioneer




msg:3746595
 6:42 pm on Sep 17, 2008 (gmt 0)

@ rocknbil

Now this is what I was looking for! I am sure I will find a lot of answers and even more input my make my thing even more secure than it is already.

Greast Place here. Great Peoples. Thank you!

Ernie

[edited by: phranque at 5:55 am (utc) on Sep. 21, 2008]
[edit reason] cleaning up [/edit]

phranque




msg:3748883
 5:56 am on Sep 21, 2008 (gmt 0)

welcome to WebmasterWorld [webmasterworld.com], Auctioneer!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved