Re: Can this be rewritten better?
- From: Nikos <hackeras@xxxxxxxxx>
- Date: Sat, 30 Apr 2005 14:18:50 +0300
Joe Smith wrote:
Henry Law wrote:
if( param('select') and param('select') !~ /\.\./ )
I don't know what this is doing but it looks odd to me. I can't imagine what the two calls to "param" are returning which when anded together could ever look like ".."
They're not anded together. To perform an AND operation on two integers require using & not && or 'and'. The quoted line translates to "if param('select') is true (not undef, not '', not 0, not '0') and the value does not contain two consecutive periods ...".
It probably makes more sense to write it as if (defined param('select') and param('select') ~= /\.\./) { ... }
-Joe
I wrote it like this to avoid getting hackers pass cgi parameters to open files from the adress bar like:
http://www.nikolas.tk/cgi-bin/index.pl?select='../../somepath/somefile') :-)
--
I knew UNIX before it was spelled L I N U X
and
I knew INTERNET before it was spelled W W W
.- References:
- Can this be rewritten better?
- From: Nikos
- Re: Can this be rewritten better?
- From: Henry Law
- Re: Can this be rewritten better?
- From: Joe Smith
- Can this be rewritten better?
- Prev by Date: Re: using LWP to get a very large file
- Next by Date: Re: Perfecting index.pl some more!
- Previous by thread: Re: Can this be rewritten better?
- Next by thread: Re: Can this be rewritten better?
- Index(es):
Relevant Pages
|
