[Dbix-class] Re: [Catalyst] untainting utf8 text for db
Daniel McBrearty
danielmcbrearty at gmail.com
Sat Jun 7 11:25:13 BST 2008
of course. But how do you regex an inclusive list for any character in
any human language ?
On Fri, Jun 6, 2008 at 7:46 PM, Mesdaq, Ali <amesdaq at websense.com> wrote:
> No escape sequence should get through if you reject any characters
> outside of the allowed characters. For example you could just reject the
> input and prompt for another input if this regex matches
> (?:[^a-zA-Z0-9 _]+)
> So escape sequences shouldn't affect this test.
>
> Thanks,
> ------------------------------------------
> Ali Mesdaq (CISSP, GIAC-GREM)
> Security Researcher II
> Websense Security Labs
> http://www.WebsenseSecurityLabs.com
> ------------------------------------------
>
> -----Original Message-----
> From: Daniel McBrearty [mailto:danielmcbrearty at gmail.com]
> Sent: Thursday, June 05, 2008 11:07 PM
> To: The elegant MVC web framework
> Cc: DBIx::Class user and developer list
> Subject: [Dbix-class] Re: [Catalyst] untainting utf8 text for db
>
> Thanks for the suggestions. Indeed, specifying a list of chars which is
> clean (e.g. [a-zA-Z0-9_] for a username in English) is optimum, and I
> prefer that. But when you are working with fully multilingual material,
> this becomes pretty much impossible. As the site in question is all
> about language learning and could eventually handle any language, that
> is the issue.
>
> Rejecting some of the suspicious chars you suggest is something I will
> do - but even that is not foolproof as there are various ways (more than
> one, IIRC, but I'm not sure what they all are) of using escape sequences
> to get through.
>
> Of the list you suggest, I'd need to keep (, ), ? - all the rest I could
> kill quite happily.
>
> Again, thanks for the input. I'm going to forward this to the
> DBIx::Class list (as that is probably where it should have gone in the
> first place).
>
> _______________________________________________
> List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class
> IRC: irc.perl.org#dbix-class
> SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/
> Searchable Archive:
> http://www.grokbase.com/group/dbix-class@lists.rawmode.org
>
>
>
>
>
> Protected by Websense Messaging Security -- www.websense.com
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
--
Daniel McBrearty
email : danielmcbrearty at gmail.com
http://www.engoi.com
http://danmcb.vox.com
http://danmcb.blogger.com
find me on linkedin and facebook
BTW : 0873928131
More information about the Catalyst
mailing list