Dr.Ruud am Montag, 24. Juli 2006 20:54: > "D. Bolliger" schreef: > > # input sanitizing > > # > > my $re_range=qr/\d+\s*\.\.\s*\d+/; > > $user_input=~/^\s*$re_range(?:\s*,\s*$re_range)*\s*$/ > > or die 'invalid input!'; > > > > my @list4=eval $user_input; > > An embedded newline can fool that test. > > You can make it much stricter, > by replacing the \s by [[:blank:]], > and the ending $ by \z. > > $re_range = qr/ [[:blank:]]* > \d+ > [[:blank:]]* > \.\. > [[:blank:]]* > \d+ > [[:blank:]]* > /x ; > > $re_input = qr/\A $re_range (?: , $re_range )* \z/x ;
Yes, you are right that space other than ' ' can pass this test, and if only single line input is allowed, it is certainly better to implement the restrictions accordingly. On the other side, even newlines (that pass the test) lead to a string that evals without error. I should have mentioned it. In other contexts, say checking an alphanumeric string intended to be used in a mail header passed to sendmail, using \s instead of [[:blank:]] would be a bad idea. Dani -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
