PERL CGI Beginners

Author

Wildcards

Bill Stephenson

2006-01-10, 3:56 am

I have this in a script that searches some files of saved CGI.pm
objects:

foreach my $item(@record_list){

if (open(my $FILE, "$path/$item")) {

$CUSTOMER = new CGI($FILE); # Throw out the old $CUSTOMER, replace
it with a new one
close $FILE;

if ($CUSTOMER->param('c_name') =~ /^$customer_search_term/i) {

$match= $CUSTOMER->param('c_name');

push (@items, $match);

$counter++;

}

elsif ($CUSTOMER->param('c_contact') =~ /^$customer_search_term/i) {

$match= $CUSTOMER->param('c_contact');

push (@items, $match);

$counter++;

}

}

}

I was playing around with it and found when I enter a "*" character it
matches all records. That's kind of a

feature for the users of
this script. Are there any other special characters that will affect
the results?

Kindest Regards,

--
Bill

Charles K. Clarkson

2006-01-10, 3:56 am

Bill Stephenson <mailto:bills@perlhelp.com> wrote:

: I was playing around with it and found when I enter a "*" character
: it matches all records. That's kind of a

feature for the users
: of this script. Are there any other special characters that will
: affect the results?

Yes. Many many. What you are matching above is a null string.
It is not a good practice. You'll get a warning if you turn on
warnings (which *is* a good thing). If the regex engine did not
specifically check for this condition the expression would create
an infinite loop. Run this script.

#!/usr/bin/perl

use strict;
use warnings;
use diagnostics;

my @matches = grep /^*/i, qw(foo bar baz), '';

print scalar @matches;

__END__

It is usually better to eliminate as many special characters
in a search pattern as possible. Not doing so a is big security
risk. The 'quotemeta' function and the \Q operator are meant for
this purpose. Also check out the references to tainted data in
perlsec and in perlfaq7.

You're right, '*' is a handy way to match all the records in
your case. Just be aware of the pitfalls involved in relying on
special characters to do the work. There are many many people
out there who can wreak havoc on your server if you allow it.
Beware.

HTH,

Charles K. Clarkson
--
Mobile Homes Specialist
254 968-8328

Bill Stephenson

2006-01-10, 3:56 am

On Dec 26, 2005, at 3:44 PM, Charles K. Clarkson wrote:

> It is usually better to eliminate as many special characters
> in a search pattern as possible. Not doing so a is big security
> risk. The 'quotemeta' function and the \Q operator are meant for
> this purpose. Also check out the references to tainted data in
> perlsec and in perlfaq7.
>
> You're right, '*' is a handy way to match all the records in
> your case. Just be aware of the pitfalls involved in relying on
> special characters to do the work. There are many many people
> out there who can wreak havoc on your server if you allow it.
> Beware.
>
> HTH,

Sorry about the slow reply, It certainly does help, thank you very much
Charles.

I wasn't too worried about it because the only thing the user can match
against is a pre-defined list and I don't see how this creates a
security risk. I haven't been able to get any unexpected or insecure
results using meta characters (other than the one I mentioned), but I
went ahead and made the changes referenced in the docs you pointed to
anyway. I guess I can just write my own code to handle a wildcard
search if it's really needed.

Kindest Regards,

--
Bill Stephenson

Paul Lalli

2006-01-10, 3:56 am

Bill Stephenson wrote:
> On Dec 26, 2005, at 3:44 PM, Charles K. Clarkson wrote:
>
[color=darkred]
> I wasn't too worried about it because the only thing the user can match
> against is a pre-defined list and I don't see how this creates a
> security risk.

Who says that's the only thing the user can match against? Your form?
What exactly prevents a user from contacting your CGI script directly,
without going through your form?

You can never assume that a user will only use your form to contact
your CGI script.

Paul Lalli

Sponsored Links