* RoMaN SoFt / LLFB!! wrote on Mon, Dec 18, 2000 at 13:39 +0100:
Now I want to protect my CGI. Basically it only takes two strings: one which only contains numbers and other more generic (it can contain ";,|<>"... etc). I want to correctly (=secure) parse the variables before using it.
Better use a positive list with allowed chars that a negative list with prohibited ones - if you forget a char, it's not unsecure (but maybe not working which is the better choice I think). Of course it's the best to make the regexps so conrecte as possible. If you except a time, use "\d\d:\d\d" and not more. Input validation is a complex problem, and depends heavily on your program IMHO. If you use perl, use always "-Tw" as command line switches. The taintmode is really great. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.