Welcome to WebmasterWorld Guest from 54.196.233.208

Forum Moderators: coopster & jatar k & phranque

Message Too Old, No Replies

Perl Security related Filter - Lines

I have a problem

     
8:38 pm on Sep 16, 2008 (gmt 0)

New User

5+ Year Member

joined:Sept 16, 2008
posts: 10
votes: 0


I use Perl Script Source to create Online Auction Scripts. But, after looking for a long time, one of the very last Secrets (to me) are some lines security related Script Lines like the ones below:

$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;
$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;
$form{'TITLE'} =~ s/<!(?:--[\s\S]*?--\s*)?>\s*//g;
$form{'TITLE'} =~ s/[\~\^]//g;
$form{'TITLE'} =~ s/~!/ ~!/g;
$form{'TITLE'} =~ s/<*(javascript)[^>]+>//gi;
$form{'TITLE'} =~ s/(<[\s\/]*)(script\b[^>]*>)/$1x$2/gi;
$form{'TITLE'} =~ s/<*(iframe)[^>]+>//gi;
$form{'TITLE'} =~ s/<*(script)[^>]+>//gi;

I know what they (are supposed to) do, and I know what the meaning of some lines, like the ones here, is:
--
$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;

something like:

if a=< them save this as &lt;
if a=> then save this &gt;
--
but I never found a Webpage anywhere explaining in detail everyone of all those "s/[\"\'\}\{\)\(\+]//g;---e.t.c." exact functions.

I care very much about security, and if I find some place where I can learn more about this, I would be very happy. I am a Swiss, so, my script-technical english is rather limited. This may make it a little harder to really understand everything written on the Web, especially when it comes to zbderstanding lines like: s/<!(?:--[\s\S]*?--\s*)?>\s*//g;

Thank you very much for your help.

Ernie

[edited by: phranque at 11:25 pm (utc) on Sep. 19, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

11:25 pm on Sept 16, 2008 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 5, 2006
posts:536
votes: 0


What you need to know in order to understand those lines, is to read about regular expressions. There are no tutorials that are going to explain exactly what those particular regexps do. You need to know what all the symbols inside the regexps mean in order to understand what exactly they are doing. Some of them are not well written, like this one:

$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;

there is no need for all the backslashes:

$form{'TITLE'} =~ s/["'}{)(+]//g;

what it does is removes all the characters inside the square brackets [] from $form{'TITLE'}. Its better written like so:

$form{'TITLE'} =~ tr/"'}{)(+//d;

When it comes to just removing some characters from a string tr/// is very efficient.

4:10 pm on Sept 17, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Perl Regular Expressions [search.cpan.org]. Stuff still drives me nuts sometimes. :-)
6:42 pm on Sept 17, 2008 (gmt 0)

New User

5+ Year Member

joined:Sept 16, 2008
posts: 10
votes: 0


@ rocknbil

Now this is what I was looking for! I am sure I will find a lot of answers and even more input my make my thing even more secure than it is already.

Greast Place here. Great Peoples. Thank you!

Ernie

[edited by: phranque at 5:55 am (utc) on Sep. 21, 2008]
[edit reason] cleaning up [/edit]

5:56 am on Sept 21, 2008 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


welcome to WebmasterWorld [webmasterworld.com], Auctioneer!