Loading ...
Sorry, an error occurred while loading the content.

untainting and secure forms

Expand Messages
  • Lou Hernsen
    I an wanting to figure out how to create a safe form input .. untainter.. i guess. below is some code... but I think that one thing I do not have, that I may
    Message 1 of 1 , Feb 6, 2007
    • 0 Attachment
      I an wanting to figure out how to create a safe form input .. untainter.. i
      guess.
      below is some code... but I think that one thing I do not have, that I may
      need to have,
      is something that is very specific for each $name and $value.. so that if
      $Quantity is always
      a number and only so many charecter long.... but what about messages from a
      text box?
      Are there any examples out there that are understandable to the beginner?
      Thanks
      Lou

      sub ParseInput
      {
      @pairs = split ( /&/, "$_[0]" );
      foreach $pair(@pairs)
      {
      ( $name, $value ) = split ( /=/,"$pair");
      ###### $name/$value
      #changes plus sign to space
      $name =~ tr/+/ /;
      # converts hexadecimal charecters to Ascii characters
      $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
      #changes plus sign to space
      $value =~ tr/+/ /;
      # converts hexadecimal charecters to Ascii characters
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
      # chomps \n's
      $value =~ s/\n//g;
      # deletes embedded HTML comments - Security measure to prevent subverting
      server side includes
      $value =~ s/<!--(.|\n)*-->//g;
      # Filters out everything not in th is list a-zA-Z0-9\.\-\_\@ or a
      space
      $value =~ s/[^a-z0-9\.\-\_\@\ ]//ig; # i=ignore case x=ignore
      whitespace g=all occurances
      # Check for email address. if an @ appears, split and reconstitiute as an
      email address
      if ($value =~ m/@*\./) # email address else
      {
      #### This will untaint for -T
      $value =~ m/(\S+)\@([\w.-]+)/;
      $value = "$1\@$2";
      }
      if ($name eq "Email" )
      {
      if ($value =~ m/@*\./)
      {}
      else
      {
      FailPage("You entered $value<BR>
      The email address you entered<BR>does not look like an email
      address.<BR>
      You may only use numbers, letters, dashes<BR>and underscores in your
      email address.");
      }
      }
      # delete first dashes
      #while (m/-*/)
      while (substr($value,0,1) eq "-")
      {
      $value = substr($value,1,(length $value) - 1);
      }
      # delete commands system, exec & unlink
      if ($value =~ m/system/i || $value =~ m/exec/i || $value =~ m/unlink/i)
      {
      FailPage("Unsafe verbage is being used.<BR>Do not use the phrase
      \"$value\"");
      }
      if ($name eq "PW" )
      {
      if ($value =~ s/[^a-z0-9\-\_]//ig)
      {}
      else
      {
      FailPage("You may only use numbers, letters, dashes<BR>and underscores
      in your password.");
      }
      }
      ######
      $Input{$name} = "$value";
      ##############
    Your message has been successfully submitted and would be delivered to recipients shortly.