Hi all,
I have a simple form that allows users to input their
name and a message and then email that to me.
The message is in a textarea field.
I'm concerned that I am not properly escaping certain
characters that I would like to let through (?\.').
Here's my snippet:
# First, escape any ?, \ and .
my $que = $q->param('question');
$que =~ s/([?\\\.'])/\\$1/g;
# Next, untaint the form field, allowing
# for ?, \ and .
if ($q->param('name') =~ /^(\w[\w ]*)$/) {
$question = $1;
}
When I run this, I get things like "Where is my
shoe\?". (which seems correct to me)
But I want to make sure that I have effectively made
sure that what ever is in the text area can't bite me
later on.
Thanks for any insight,
--Mark.
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger.
http://im.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
