On Sat, 07 Aug 2004 06:25:00 -0000, bitlance winter said:
> #! The first function takes the negative approach.
> #! Use a list of bad characters to filter the data
> sub FilterNeg {
> local( $fd ) = @_;
> $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
> return( $fd ) ;
> }
*BZZT!!* Wrong. Don't do this in production code, because...
> I have understood that bad characters are
> < > " ' % ; ) ( & +
If it turns out that * (asterisk) is a "bad character", you're screwed.
If it turns out that *any other* character is "bad", you're screwed.
The *proper* way to do the filtering is to *remove* *all* characters
not known to be good. Something like:
$fd =~ s/[^-_ a-zA-Z0-9]//g;
Only pass alphabetic, numeric, space, hyphen, and underscore. Add other
characters *only* if you can show they are *not* a problem.
Attachment:
pgp00016.pgp
Description: PGP signature