[Israel.pm] RegEx in HTML Character

ik idokan at gmail.com
Tue Jan 29 10:10:29 PST 2008


On Jan 29, 2008 7:00 AM, Yona Shlomo <yona at cs.technion.ac.il> wrote:
> On Mon, 28 Jan 2008, Georges EL OJAIMI wrote:
> > Hello,
> >
> > Yona Shlomo wrote:
> >> How does the following help prevent HTML characters and SQL
> >> injection into the database?
> Can you answer this question? How does this transformation
> of yours help prevent SQL injections?

Personally I'm removing chars that I do not expect to have, so if I
expect a number value, I do something like this:


Now chars that might effect HTML/SQL are escaped when I use them on
HTML/SQL (not before, because it might change the content that I wish
to check, like %20 for spaces [in URI] etc).
On SQL, I also use binding (if possible I recommend name binding
rather then anonymous binding).
I usually create some sort of tools that does all of this for me, so I
will not have to write a lot of code for each work I require, and you
might even want to create a module such as Sanitize::HTML and
Sanitize::SQL that will be able to work well.
For HTML I recommend the cgi module, it has great escaping features.


More information about the Perl mailing list