>>>>> "Timothy" == Timothy Johnson <[EMAIL PROTECTED]> writes:
Timothy> Okay, I get what you're saying about \z, sort of, assuming Timothy> that the user doesn't have to enter in the text at a prompt Timothy> and you're not reading from a file where lines are delimited Timothy> by newlines, but I don't get where this ties into security. Timothy> Could you explain? Suppose you used that to validate a new username in $string. And then, having validated that, you use $string to create new line in a passwd-like file: print PASSWORD $string, ":", $newpassword, ...; oops... I just corrupted your password file with my new user ID, and I might be able to use that either for a denial-of-service, or perhaps gimmick up a better user status for myself. First rule of security -- Make sure your validations actually work! Yours didn't, and that means that life would be sweet for the intruder. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
