On Dec 26, 2005, at 3:44 PM, Charles K. Clarkson wrote:

    It is usually better to eliminate as many special characters
in a search pattern as possible. Not doing so a is big security
risk. The 'quotemeta' function and the \Q operator are meant for
this purpose. Also check out the references to tainted data in
perlsec and in perlfaq7.

    You're right, '*' is a handy way to match all the records in
your case. Just be aware of the pitfalls involved in relying on
special characters to do the work. There are many many people
out there who can wreak havoc on your server if you allow it.
Beware.

HTH,

Sorry about the slow reply, It certainly does help, thank you very much Charles.

I wasn't too worried about it because the only thing the user can match against is a pre-defined list and I don't see how this creates a security risk. I haven't been able to get any unexpected or insecure results using meta characters (other than the one I mentioned), but I went ahead and made the changes referenced in the docs you pointed to anyway. I guess I can just write my own code to handle a wildcard search if it's really needed.

Kindest Regards,

--
Bill Stephenson


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>


Reply via email to