homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
Forum Library, Charter, Moderators: coopster & jatar k & phranque

Perl Server Side CGI Scripting Forum

Perl Security related Filter - Lines
I have a problem

 8:38 pm on Sep 16, 2008 (gmt 0)

I use Perl Script Source to create Online Auction Scripts. But, after looking for a long time, one of the very last Secrets (to me) are some lines security related Script Lines like the ones below:

$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;
$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;
$form{'TITLE'} =~ s/<!(?:--[\s\S]*?--\s*)?>\s*//g;
$form{'TITLE'} =~ s/[\~\^]//g;
$form{'TITLE'} =~ s/~!/ ~!/g;
$form{'TITLE'} =~ s/<*(javascript)[^>]+>//gi;
$form{'TITLE'} =~ s/(<[\s\/]*)(script\b[^>]*>)/$1x$2/gi;
$form{'TITLE'} =~ s/<*(iframe)[^>]+>//gi;
$form{'TITLE'} =~ s/<*(script)[^>]+>//gi;

I know what they (are supposed to) do, and I know what the meaning of some lines, like the ones here, is:
$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;

something like:

if a=< them save this as &lt;
if a=> then save this &gt;
but I never found a Webpage anywhere explaining in detail everyone of all those "s/[\"\'\}\{\)\(\+]//g;---e.t.c." exact functions.

I care very much about security, and if I find some place where I can learn more about this, I would be very happy. I am a Swiss, so, my script-technical english is rather limited. This may make it a little harder to really understand everything written on the Web, especially when it comes to zbderstanding lines like: s/<!(?:--[\s\S]*?--\s*)?>\s*//g;

Thank you very much for your help.


[edited by: phranque at 11:25 pm (utc) on Sep. 19, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]



 11:25 pm on Sep 16, 2008 (gmt 0)

What you need to know in order to understand those lines, is to read about regular expressions. There are no tutorials that are going to explain exactly what those particular regexps do. You need to know what all the symbols inside the regexps mean in order to understand what exactly they are doing. Some of them are not well written, like this one:

$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;

there is no need for all the backslashes:

$form{'TITLE'} =~ s/["'}{)(+]//g;

what it does is removes all the characters inside the square brackets [] from $form{'TITLE'}. Its better written like so:

$form{'TITLE'} =~ tr/"'}{)(+//d;

When it comes to just removing some characters from a string tr/// is very efficient.


 4:10 pm on Sep 17, 2008 (gmt 0)

Perl Regular Expressions [search.cpan.org]. Stuff still drives me nuts sometimes. :-)


 6:42 pm on Sep 17, 2008 (gmt 0)

@ rocknbil

Now this is what I was looking for! I am sure I will find a lot of answers and even more input my make my thing even more secure than it is already.

Greast Place here. Great Peoples. Thank you!


[edited by: phranque at 5:55 am (utc) on Sep. 21, 2008]
[edit reason] cleaning up [/edit]


 5:56 am on Sep 21, 2008 (gmt 0)

welcome to WebmasterWorld [webmasterworld.com], Auctioneer!

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved